Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-156413884-x86.exe

Overview

General Information

Sample name:getscreen-156413884-x86.exe
Analysis ID:1492032
MD5:2e9de68641b502474e5ba330fe5396bb
SHA1:a7a07fcc8643fec59e4684aaa66c64c3232e693f
SHA256:f942c4a0313d288bf7a48aa6438ddcec9fbcccd0e8c0107b61b233a0a823731a
Infos:

Detection

Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Modifies Internet Explorer zonemap settings
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Sigma detected: IE Change Domain Zone
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64native
  • getscreen-156413884-x86.exe (PID: 4144 cmdline: "C:\Users\user\Desktop\getscreen-156413884-x86.exe" MD5: 2E9DE68641B502474E5BA330FE5396BB)
    • getscreen-156413884-x86.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\getscreen-156413884-x86.exe" -gpipe \\.\pipe\PCommand97tdpsimneriwgrzu -gui MD5: 2E9DE68641B502474E5BA330FE5396BB)
    • getscreen-156413884-x86.exe (PID: 5100 cmdline: "C:\Users\user\Desktop\getscreen-156413884-x86.exe" -cpipe \\.\pipe\PCommand96gztzxiecsokzuwc -cmem 0000pipe0PCommand96gztzxiecsokzuwcm969vla39a23oue -child MD5: 2E9DE68641B502474E5BA330FE5396BB)
  • nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe (PID: 2748 cmdline: "C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe" -elevate \\.\pipe\elevateGS512nqdzlqpayjfioefvlkmbvgukrpwcnna MD5: 2E9DE68641B502474E5BA330FE5396BB)
  • svchost.exe (PID: 6616 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: IE Change Domain Zone
Source: Registry Key setAuthor: frack113: Data: Details: 2, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\getscreen-156413884-x86.exe, ProcessId: 6696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getscreen.me\http
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 908, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 6616, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D5584E crypto_cert_get_dns_names,0_2_00D5584E
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55831 crypto_cert_free,0_2_00D55831
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00E32165 freerdp_assistance_encrypt_pass_stub,0_2_00E32165
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55966 crypto_cert_get_public_key,0_2_00D55966
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D56105 crypto_rsa_private_encrypt,0_2_00D56105
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D5590A crypto_cert_get_email,0_2_00D5590A
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D5612F crypto_rsa_public_encrypt,0_2_00D5612F
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55ABB crypto_cert_hash,0_2_00D55ABB
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55A65 crypto_cert_get_upn,0_2_00D55A65
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55A61 crypto_cert_get_signature_alg,0_2_00D55A61
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D67B3F crypto_base64_encode,0_2_00D67B3F
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55B39 crypto_cert_print_info,crypto_cert_subject,crypto_cert_issuer,crypto_cert_fingerprint,0_2_00D55B39
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55B24 crypto_cert_issuer,0_2_00D55B24
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D67B24 crypto_base64_decode,0_2_00D67B24
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00DAE437 _EncryptMessage@16,InitOnceExecuteOnce,0_2_00DAE437
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00DAE42E _DecryptMessage@16,InitOnceExecuteOnce,0_2_00DAE42E
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55D97 crypto_cert_subject_alt_name,0_2_00D55D97
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55D82 crypto_cert_subject,0_2_00D55D82
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55DA5 crypto_cert_subject_common_name,0_2_00D55DA5
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55D58 crypto_cert_read,0_2_00D55D58
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55ED1 crypto_reverse,0_2_00D55ED1
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55E14 crypto_get_certificate_data,crypto_cert_fingerprint,crypto_cert_issuer,crypto_cert_subject,certificate_data_new,0_2_00D55E14
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00E32620 freerdp_assistance_get_encrypted_pass_stub,0_2_00E32620
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55782 crypto_cert_fingerprint_by_hash,crypto_cert_hash,0_2_00D55782
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D5576E crypto_cert_fingerprint,crypto_cert_fingerprint_by_hash,0_2_00D5576E
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D63F1C certificate_data_new,crypto_base64_encode,crypto_base64_encode,0_2_00D63F1C
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D55732 crypto_cert_dns_names_free,0_2_00D55732
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D5584E crypto_cert_get_dns_names,2_2_00D5584E
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55831 crypto_cert_free,2_2_00D55831
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00E32165 freerdp_assistance_encrypt_pass_stub,2_2_00E32165
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55966 crypto_cert_get_public_key,2_2_00D55966
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D56105 crypto_rsa_private_encrypt,2_2_00D56105
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D5590A crypto_cert_get_email,2_2_00D5590A
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D5612F crypto_rsa_public_encrypt,2_2_00D5612F
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55ABB crypto_cert_hash,2_2_00D55ABB
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55A65 crypto_cert_get_upn,2_2_00D55A65
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55A61 crypto_cert_get_signature_alg,2_2_00D55A61
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D67B3F crypto_base64_encode,2_2_00D67B3F
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55B39 crypto_cert_print_info,crypto_cert_subject,crypto_cert_issuer,crypto_cert_fingerprint,2_2_00D55B39
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55B24 crypto_cert_issuer,2_2_00D55B24
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D67B24 crypto_base64_decode,2_2_00D67B24
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00DAE437 _EncryptMessage@16,InitOnceExecuteOnce,2_2_00DAE437
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00DAE42E _DecryptMessage@16,InitOnceExecuteOnce,2_2_00DAE42E
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55D97 crypto_cert_subject_alt_name,2_2_00D55D97
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55D82 crypto_cert_subject,2_2_00D55D82
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55DA5 crypto_cert_subject_common_name,2_2_00D55DA5
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55D58 crypto_cert_read,2_2_00D55D58
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55ED1 crypto_reverse,2_2_00D55ED1
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55E14 crypto_get_certificate_data,crypto_cert_fingerprint,crypto_cert_issuer,crypto_cert_subject,certificate_data_new,2_2_00D55E14
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00E32620 freerdp_assistance_get_encrypted_pass_stub,2_2_00E32620
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55782 crypto_cert_fingerprint_by_hash,crypto_cert_hash,2_2_00D55782
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D5576E crypto_cert_fingerprint,crypto_cert_fingerprint_by_hash,2_2_00D5576E
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D63F1C certificate_data_new,crypto_base64_encode,crypto_base64_encode,2_2_00D63F1C
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00D55732 crypto_cert_dns_names_free,2_2_00D55732
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA584E crypto_cert_get_dns_names,3_2_00DA584E
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5831 crypto_cert_free,3_2_00DA5831
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00E82165 freerdp_assistance_encrypt_pass_stub,3_2_00E82165
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5966 crypto_cert_get_public_key,3_2_00DA5966
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA590A crypto_cert_get_email,3_2_00DA590A
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA6105 crypto_rsa_private_encrypt,3_2_00DA6105
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA612F crypto_rsa_public_encrypt,3_2_00DA612F
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5ABB crypto_cert_hash,3_2_00DA5ABB
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5A61 crypto_cert_get_signature_alg,3_2_00DA5A61
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5A65 crypto_cert_get_upn,3_2_00DA5A65
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5B39 crypto_cert_print_info,crypto_cert_subject,crypto_cert_issuer,crypto_cert_fingerprint,3_2_00DA5B39
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DB7B3F crypto_base64_encode,3_2_00DB7B3F
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5B24 crypto_cert_issuer,3_2_00DA5B24
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DB7B24 crypto_base64_decode,3_2_00DB7B24
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DFE437 _EncryptMessage@16,InitOnceExecuteOnce,3_2_00DFE437
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DFE42E _DecryptMessage@16,InitOnceExecuteOnce,3_2_00DFE42E
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5D97 crypto_cert_subject_alt_name,3_2_00DA5D97
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5D82 crypto_cert_subject,3_2_00DA5D82
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5DA5 crypto_cert_subject_common_name,3_2_00DA5DA5
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5D58 crypto_cert_read,3_2_00DA5D58
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5ED1 crypto_reverse,3_2_00DA5ED1
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00E82620 freerdp_assistance_get_encrypted_pass_stub,3_2_00E82620
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5E14 crypto_get_certificate_data,crypto_cert_fingerprint,crypto_cert_issuer,crypto_cert_subject,certificate_data_new,3_2_00DA5E14
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5782 crypto_cert_fingerprint_by_hash,crypto_cert_hash,3_2_00DA5782
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA576E crypto_cert_fingerprint,crypto_cert_fingerprint_by_hash,3_2_00DA576E
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DB3F1C certificate_data_new,crypto_base64_encode,crypto_base64_encode,3_2_00DB3F1C
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00DA5732 crypto_cert_dns_names_free,3_2_00DA5732
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION getscreen-156413884-x86.exeJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION getscreen-156413884-x86.exeJump to behavior

Compliance

barindex
Uses 32bit PE files
Source: getscreen-156413884-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
PE / OLE file has a valid certificate
Source: getscreen-156413884-x86.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: getscreen-156413884-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: C:\Project\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp
Source: Joe Sandbox ViewIP Address: 78.47.165.25 78.47.165.25
Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global trafficDNS traffic detected: DNS query: getscreen.me
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.pcommand.com:3128
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://%S/%S/agent/chat$.typeoutprocessData4Z
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://getscreen.me/agent-policy
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=link
Source: getscreen-156413884-x86.exe, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: unknownNetwork traffic detected: HTTP traffic on port 50693 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51422 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52633 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50452 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51663 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52874 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51548 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50578 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50440 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53603 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51892 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52518 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51410 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52862 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50325 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54802 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51524 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52976 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54916 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54941 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52645 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50464 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52404 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51319 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50439 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52608 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51651 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50337 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53958 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52506 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51320 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50566 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51880 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50235 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53820 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51687 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52416 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53627 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53934 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52964 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51512 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50591 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50301 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52302 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50656 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53819 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50247 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51561 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54609 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51446 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51626 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52898 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50313 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51434 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52886 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52825 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52555 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51103 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50259 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53615 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50771 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50121 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51307 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51500 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51573 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52952 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52621 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51638 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52428 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50644 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53411 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54863 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52516
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53848
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52517
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53847
Source: unknownNetwork traffic detected: HTTP traffic on port 50386 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51115 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52514
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53846
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52515
Source: unknownNetwork traffic detected: HTTP traffic on port 52567 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53845
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52518
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52519
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53849
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53840
Source: unknownNetwork traffic detected: HTTP traffic on port 50632 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52512
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53844
Source: unknownNetwork traffic detected: HTTP traffic on port 50873 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52513
Source: unknownNetwork traffic detected: HTTP traffic on port 53537 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53843
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52510
Source: unknownNetwork traffic detected: HTTP traffic on port 53778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53842
Source: unknownNetwork traffic detected: HTTP traffic on port 52326 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52511
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53841
Source: unknownNetwork traffic detected: HTTP traffic on port 50758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50999 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52527
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53859
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52528
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53858
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52525
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53857
Source: unknownNetwork traffic detected: HTTP traffic on port 50505 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52526
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52529
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53851
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52520
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53850
Source: unknownNetwork traffic detected: HTTP traffic on port 50987 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52453 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51957 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52523
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53855
Source: unknownNetwork traffic detected: HTTP traffic on port 51001 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52524
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53854
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52521
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53853
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52522
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53852
Source: unknownNetwork traffic detected: HTTP traffic on port 53910 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53652 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52200 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52338 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50885 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51207
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52538
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51208
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52539
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53869
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51205
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52536
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53868
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51206
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52537
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53867
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51209
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52530
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53862
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51200
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52531
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53861
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53860
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51203
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52534
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53866
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51204
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52535
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53865
Source: unknownNetwork traffic detected: HTTP traffic on port 54851 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50374 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51201
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52532
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51202
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52533
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53863
Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50861 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51254 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50620 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52314 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54977 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53525 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51218
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52549
Source: unknownNetwork traffic detected: HTTP traffic on port 53922 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51219
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51216
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52547
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53879
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51217
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52548
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53878
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51210
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52541
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53873
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51211
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52542
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53872
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53871
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52540
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53870
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51214
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52545
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53877
Source: unknownNetwork traffic detected: HTTP traffic on port 50897 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51215
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52546
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53876
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51212
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52543
Source: unknownNetwork traffic detected: HTTP traffic on port 53664 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53875
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51213
Source: unknownNetwork traffic detected: HTTP traffic on port 52212 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52544
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53874
Source: unknownNetwork traffic detected: HTTP traffic on port 52579 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53880
Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52837 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53893 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52441 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51945 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51127 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53804
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53803
Source: unknownNetwork traffic detected: HTTP traffic on port 51140 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53802
Source: unknownNetwork traffic detected: HTTP traffic on port 52592 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53801
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53808
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53807
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53805
Source: unknownNetwork traffic detected: HTTP traffic on port 51266 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51933 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53800
Source: unknownNetwork traffic detected: HTTP traffic on port 51025 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52477 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50350 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53809
Source: unknownNetwork traffic detected: HTTP traffic on port 50607 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50362 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53813
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53812
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53819
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53818
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53817
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53811
Source: unknownNetwork traffic detected: HTTP traffic on port 51806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53810
Source: unknownNetwork traffic detected: HTTP traffic on port 51139 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52849 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52580 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54953 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53501 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50476 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53639 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53826
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53825
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53824
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53823
Source: unknownNetwork traffic detected: HTTP traffic on port 51790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53828
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53827
Source: unknownNetwork traffic detected: HTTP traffic on port 53640 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50619 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53822
Source: unknownNetwork traffic detected: HTTP traffic on port 54700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53821
Source: unknownNetwork traffic detected: HTTP traffic on port 51675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53820
Source: unknownNetwork traffic detected: HTTP traffic on port 50223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51409 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51921 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54826 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50349 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52465 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51013 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52505
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53837
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52506
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53836
Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52503
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53835
Source: unknownNetwork traffic detected: HTTP traffic on port 54430 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54965 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52504
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52509
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52507
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53839
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52508
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53838
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52501
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53833
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52502
Source: unknownNetwork traffic detected: HTTP traffic on port 53513 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53832
Source: unknownNetwork traffic detected: HTTP traffic on port 50488 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53831
Source: unknownNetwork traffic detected: HTTP traffic on port 50746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52500
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53830
Source: unknownNetwork traffic detected: HTTP traffic on port 53909 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54303 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52850 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52988 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51278 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51536 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51144
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52475
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51145
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52476
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51142
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52473
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51143
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52474
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51148
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52479
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51149
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51146
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52477
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51147
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52478
Source: unknownNetwork traffic detected: HTTP traffic on port 54201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51151
Source: unknownNetwork traffic detected: HTTP traffic on port 52146 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52482
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51152
Source: unknownNetwork traffic detected: HTTP traffic on port 52387 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52483
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52480
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51150
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52481
Source: unknownNetwork traffic detected: HTTP traffic on port 53598 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53357 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54568 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53116 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52375 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53345 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51155
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52486
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51156
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52487
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51153
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52484
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51154
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52485
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51159
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51157
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52488
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51158
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52489
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52490
Source: unknownNetwork traffic detected: HTTP traffic on port 54442 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52493
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52494
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51160
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52491
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52492
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51161
Source: unknownNetwork traffic detected: HTTP traffic on port 50812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52158 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51166
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52497
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52498
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52495
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52496
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51165
Source: unknownNetwork traffic detected: HTTP traffic on port 53369 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51152 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52499
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51170
Source: unknownNetwork traffic detected: HTTP traffic on port 54191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51174
Source: unknownNetwork traffic detected: HTTP traffic on port 53196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51172
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51177
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51175
Source: unknownNetwork traffic detected: HTTP traffic on port 53104 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51176
Source: unknownNetwork traffic detected: HTTP traffic on port 54556 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51179
Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51180
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51181
Source: unknownNetwork traffic detected: HTTP traffic on port 54225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51184
Source: unknownNetwork traffic detected: HTTP traffic on port 54785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51185
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51182
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51183
Source: unknownNetwork traffic detected: HTTP traffic on port 53333 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52110 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53562 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54454 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53002 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51108
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52439
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51109
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51106
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52437
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51107
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52438
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53768
Source: unknownNetwork traffic detected: HTTP traffic on port 54395 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54532 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51100
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52431
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51101
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52432
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52430
Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53760
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51104
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52435
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52436
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51105
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51102
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52433
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51103
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52434
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53770
Source: unknownNetwork traffic detected: HTTP traffic on port 50848 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51119
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51117
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52448
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51118
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52449
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53779
Source: unknownNetwork traffic detected: HTTP traffic on port 52109 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51111
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52442
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51112
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52440
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53772
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_0078B0800_2_0078B080
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_007701A00_2_007701A0
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_007B89A00_2_007B89A0
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_007AA30D0_2_007AA30D
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_007A73000_2_007A7300
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_007A66570_2_007A6657
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_007697000_2_00769700
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_0078B0802_2_0078B080
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_007B89A02_2_007B89A0
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_007AA30D2_2_007AA30D
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_007DB0803_2_007DB080
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_008089A03_2_008089A0
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_007FA30D3_2_007FA30D
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: String function: 00DA2354 appears 104 times
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: String function: 00DAE717 appears 202 times
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: String function: 00DFE717 appears 101 times
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: String function: 00DF2354 appears 54 times
Source: getscreen-156413884-x86.exeStatic PE information: Resource name: AFX_DIALOG_LAYOUT type: DOS executable (COM, 0x8C-variant)
Source: getscreen-156413884-x86.exeStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: getscreen-156413884-x86.exeStatic PE information: Resource name: RT_DIALOG type: DOS executable (COM, 0x8C-variant)
Source: nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drStatic PE information: Resource name: AFX_DIALOG_LAYOUT type: DOS executable (COM, 0x8C-variant)
Source: nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drStatic PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drStatic PE information: Resource name: RT_DIALOG type: DOS executable (COM, 0x8C-variant)
Source: getscreen-156413884-x86.exe, 00000000.00000000.18278768516.0000000001E93000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-156413884-x86.exe
Source: getscreen-156413884-x86.exe, 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-156413884-x86.exe
Source: getscreen-156413884-x86.exe, 00000002.00000000.18281989878.0000000001E93000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-156413884-x86.exe
Source: getscreen-156413884-x86.exe, 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-156413884-x86.exe
Source: getscreen-156413884-x86.exe, 00000005.00000002.18462085276.0000000001E93000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-156413884-x86.exe
Source: getscreen-156413884-x86.exe, 00000005.00000000.18308536261.0000000001E93000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-156413884-x86.exe
Source: getscreen-156413884-x86.exeBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-156413884-x86.exe
Source: getscreen-156413884-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal54.phis.evad.winEXE@8/5@5/2
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeFile read: C:\Users\user\Desktop\getscreen-156413884-x86.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\getscreen-156413884-x86.exe "C:\Users\user\Desktop\getscreen-156413884-x86.exe"
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeProcess created: C:\Users\user\Desktop\getscreen-156413884-x86.exe "C:\Users\user\Desktop\getscreen-156413884-x86.exe" -gpipe \\.\pipe\PCommand97tdpsimneriwgrzu -gui
Source: unknownProcess created: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe "C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe" -elevate \\.\pipe\elevateGS512nqdzlqpayjfioefvlkmbvgukrpwcnna
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeProcess created: C:\Users\user\Desktop\getscreen-156413884-x86.exe "C:\Users\user\Desktop\getscreen-156413884-x86.exe" -cpipe \\.\pipe\PCommand96gztzxiecsokzuwc -cmem 0000pipe0PCommand96gztzxiecsokzuwcm969vla39a23oue -child
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeProcess created: C:\Users\user\Desktop\getscreen-156413884-x86.exe "C:\Users\user\Desktop\getscreen-156413884-x86.exe" -gpipe \\.\pipe\PCommand97tdpsimneriwgrzu -guiJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-156413884-x86.exe "C:\Users\user\Desktop\getscreen-156413884-x86.exe" -cpipe \\.\pipe\PCommand96gztzxiecsokzuwc -cmem 0000pipe0PCommand96gztzxiecsokzuwcm969vla39a23oue -childJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: sas.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: dsparse.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: avrt.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: mfwmaaec.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: audioses.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: avrt.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: getscreen-156413884-x86.exeStatic PE information: certificate valid
Source: getscreen-156413884-x86.exeStatic file information: File size 3654440 > 1048576
Source: getscreen-156413884-x86.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x374e00
Source: getscreen-156413884-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Project\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_01E929E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_01E929E0
Source: nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe.0.drStatic PE information: real checksum: 0x38a69d should be: 0x3882ba
Source: getscreen-156413884-x86.exeStatic PE information: real checksum: 0x38a69d should be: 0x3882ba
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeFile created: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeFile created: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00DB7449 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DB7449
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 1
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 2
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWindow / User API: threadDelayed 1075Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWindow / User API: threadDelayed 9974Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWindow / User API: threadDelayed 959Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeAPI coverage: 2.6 %
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeAPI coverage: 1.2 %
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeAPI coverage: 1.6 %
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 1732Thread sleep count: 282 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 2448Thread sleep count: 1075 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 2736Thread sleep count: 240 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 3524Thread sleep count: 257 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 5512Thread sleep count: 255 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 2476Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 7304Thread sleep count: 202 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 2464Thread sleep count: 183 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exe TID: 3540Thread sleep count: 959 > 30Jump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
Source: getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
Source: getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=RTy
Source: nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=RT~
Source: getscreen-156413884-x86.exe, 00000005.00000002.18462355976.0000000002451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: getscreen-156413884-x86.exe, 00000000.00000002.20760521579.0000000002603000.00000004.00000020.00020000.00000000.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20758827013.0000000002263000.00000004.00000020.00020000.00000000.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293085693.0000000000572000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeAPI call chain: ExitProcess graph end nodegraph_0-14064
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeAPI call chain: ExitProcess graph end nodegraph_2-12898
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeAPI call chain: ExitProcess graph end nodegraph_3-13797
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00E061B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E061B5
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_01E929E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_01E929E0
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00E061B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E061B5
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00DFFCA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DFFCA9
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 2_2_00DFFCA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00DFFCA9
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00E561B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E561B5
Source: C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exeCode function: 3_2_00E4FCA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00E4FCA9
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D573E8 freerdp_input_send_mouse_event,0_2_00D573E8
Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-156413884-x86.exe "C:\Users\user\Desktop\getscreen-156413884-x86.exe" -cpipe \\.\pipe\PCommand96gztzxiecsokzuwc -cmem 0000pipe0PCommand96gztzxiecsokzuwcm969vla39a23oue -childJump to behavior
Source: getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: loselink.button.copymain.isntall.howconnection.session.titleconnection.menu.copyconnection.menu.generatelogin.password.titlelogin.password.ennterlogin.active.help.1login.link.dashboard.1login.link.dashboard.2login.link.registerlogin.link.restorelogin.link.help.1login.link.help.2login.active.device.titlelogin.active.contactlogin.menu.dashboardlogin.menu.logoutsettings.common.titlesettings.common.agentsettings.common.languagesettings.common.startupsettings.common.onetimesettings.common.adminsettings.permission.titlesettings.permission.controlsettings.permission.audiosettings.permission.micsettings.permission.filesettings.permission.lock_inputsettings.permission.confirmsettings.proxy.buttoninvite.disableinvite.button.agreecall.income.textcall.income.acceptcall.income.rejectcall.out.textcall.out.cancelcall.connect.textcall.connect.closecall.active.closecall.rejecet.textcall.rejecet.againcall.rejecet.closecall.finish.textcall.finish.closeturbo.button.hideturbo.button.endturbo.button.proxyturbo.button.closeturbo.button.callturbo.button.chatturbo.confirm.closeturbo.confirm.close.yesturbo.confirm.close.noturbo.menu.exitturbo.menu.chatturbo.menu.showsettings.proxy.usesettings.proxy.serversettings.proxy.loginsettings.proxy.passwordsettings.proxy.applysettings.proxy.cancelconnection.confirm.acceptinstall.turbo.line2install.turbo.confirmconnection.link.titleconnection.link.text.4connection.link.title.2connection.link.title.3connection.link.getlogin.active.help.title.headlogin.active.help.title.2login.active.help.title.3connection.menu.clipboardconnection.menu.diactivateconnection.menu.disableShell_traywnd z
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_007B89A0 cpuid 0_2_007B89A0
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeCode function: 0_2_00D6E4DD rfx_context_new,GetVersionExA,GetNativeSystemInfo,RegOpenKeyExA,primitives_get,CreateThreadpool,rfx_context_set_pixel_format,0_2_00D6E4DD

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies Internet Explorer zonemap settings
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getscreen.me httpJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getscreen.me httpsJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\getscreen.me httpJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\getscreen.me httpsJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONJump to behavior
Source: C:\Users\user\Desktop\getscreen-156413884-x86.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts631
Windows Management Instrumentation		1
Scripting		12
Process Injection		1
Masquerading		OS Credential Dumping731
Security Software Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory53
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Browser Session Hijacking		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)53
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Modify Registry		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Process Injection		LSA Secrets133
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
getscreen-156413884-x86.exe1%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe1%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
getscreen.me0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://%S/%S/agent/chat$.typeoutprocessData4Z0%Avira URL Cloudsafe
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension0%Avira URL Cloudsafe
http://proxy.contoso.com:3128/0%Avira URL Cloudsafe
https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=link0%Avira URL Cloudsafe
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-010%Avira URL Cloudsafe
https://getscreen.me/signal/agent0%Avira URL Cloudsafe
https://getscreen.me/agent-policy0%Avira URL Cloudsafe
https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=link0%VirustotalBrowse
http://proxy.pcommand.com:31280%Avira URL Cloudsafe
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-010%VirustotalBrowse
http://proxy.contoso.com:3128/0%VirustotalBrowse
https://getscreen.me/agent-policy0%VirustotalBrowse
http://proxy.pcommand.com:31280%VirustotalBrowse
https://getscreen.me/signal/agent0%VirustotalBrowse
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
getscreen.me
78.47.165.25
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://getscreen.me/signal/agentfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=linkgetscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://proxy.contoso.com:3128/getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://%S/%S/agent/chat$.typeoutprocessData4Zgetscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensiongetscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000741000.00000040.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://getscreen.me/agent-policygetscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://proxy.pcommand.com:3128getscreen-156413884-x86.exe, 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmp, getscreen-156413884-x86.exe, 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmp, nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe, 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmp, getscreen-156413884-x86.exe, 00000005.00000002.18459920353.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
78.47.165.25
getscreen.meGermany
24940HETZNER-ASDEtrue
51.89.95.37
unknownFrance
16276OVHFRfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1492032
Start date and time:2024-08-13 09:04:36 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 13m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:Suspected VM Detection
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Sample name:getscreen-156413884-x86.exe
Detection:MAL
Classification:mal54.phis.evad.winEXE@8/5@5/2
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing network information.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
03:06:43API Interceptor12580321x Sleep call for process: getscreen-156413884-x86.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
78.47.165.25getscreen-511588515.exeGet hashmaliciousUnknownBrowse
    getscreen-973519027.exeGet hashmaliciousUnknownBrowse
      getscreen-973519027.exeGet hashmaliciousUnknownBrowse
        getscreen-959987858.exeGet hashmaliciousUnknownBrowse
          getscreen-728974364.exeGet hashmaliciousUnknownBrowse
            getscreen-728974364.exeGet hashmaliciousUnknownBrowse
              getscreen-447303723.exeGet hashmaliciousUnknownBrowse
                getscreen-447303723.exeGet hashmaliciousUnknownBrowse
                  getscreen-008263870.exeGet hashmaliciousUnknownBrowse
                    51.89.95.37getscreen-511588515.exeGet hashmaliciousUnknownBrowse
                      getscreen-959987858.exeGet hashmaliciousUnknownBrowse
                        getscreen-973519027.exeGet hashmaliciousUnknownBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          getscreen.megetscreen-511588515.exeGet hashmaliciousUnknownBrowse
                          • 5.75.168.191
                          getscreen-511588515.exeGet hashmaliciousUnknownBrowse
                          • 78.47.165.25
                          getscreen-973519027.exeGet hashmaliciousUnknownBrowse
                          • 5.75.168.191
                          getscreen-959987858.exeGet hashmaliciousUnknownBrowse
                          • 5.75.168.191
                          getscreen-973519027.exeGet hashmaliciousUnknownBrowse
                          • 51.89.95.37
                          getscreen-959987858.exeGet hashmaliciousUnknownBrowse
                          • 5.75.168.191
                          getscreen-728974364.exeGet hashmaliciousUnknownBrowse
                          • 5.75.168.191
                          getscreen-728974364.exeGet hashmaliciousUnknownBrowse
                          • 5.75.168.191
                          getscreen-447303723.exeGet hashmaliciousUnknownBrowse
                          • 78.47.165.25

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          HETZNER-ASDEhoho.arm.elfGet hashmaliciousMiraiBrowse
                          • 136.243.55.31
                          http://www-indonesia.zee-mi.cfd/Get hashmaliciousUnknownBrowse
                          • 135.181.63.70
                          https://bhaez.cuakss.biz.id/Get hashmaliciousUnknownBrowse
                          • 135.181.63.70
                          Monica_velez Scan to View CourtOrder.docxGet hashmaliciousUnknownBrowse
                          • 116.202.167.133
                          file.exeGet hashmaliciousMetastealerBrowse
                          • 188.40.187.174
                          $RY0TBV2.exeGet hashmaliciousUnknownBrowse
                          • 5.161.211.130
                          $RY0TBV2.exeGet hashmaliciousUnknownBrowse
                          • 5.161.211.130
                          66b9d00589bbc_doz.exeGet hashmaliciousVidarBrowse
                          • 78.46.239.218
                          66b9d56da3bee_main.exeGet hashmaliciousVidarBrowse
                          • 78.46.239.218
                          OVHFRhttp://dkpmt.ngelink.cc/4NiJac15319dpCI1377ckliwublab21000DYABYJHPBRHUKFV28279WINZ17387I18#un92gu3drmwdgxav0i4clt74ygdc5umnx660ge2pw16j2d27zpGet hashmaliciousUnknownBrowse
                          • 51.68.39.188
                          Monica_velez Scan to View CourtOrder.docxGet hashmaliciousUnknownBrowse
                          • 5.135.209.104
                          https://staging.d1suhxp7nxddnj.amplifyapp.com/Get hashmaliciousHTMLPhisherBrowse
                          • 147.135.115.157
                          Updated Handbook.docxGet hashmaliciousUnknownBrowse
                          • 54.36.150.186
                          01_extracted.exeGet hashmaliciousRemcosBrowse
                          • 188.165.120.122
                          Wordle_x64LTS.exeGet hashmaliciousUnknownBrowse
                          • 51.89.9.253
                          Wordle_x64LTS.exeGet hashmaliciousUnknownBrowse
                          • 51.89.9.252
                          Facturation.exeGet hashmaliciousDoeneriumBrowse
                          • 51.38.43.18
                          https://multievmosdapp.net/Get hashmaliciousUnknownBrowse
                          • 5.196.111.68
                          http://blockdag-network-rectification.pages.dev/wallet/inputs.html/js/aes.jsGet hashmaliciousUnknownBrowse
                          • 149.202.238.101

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Getscreen.me\folder\settings.dat

                          Download File
                          Process:C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):5.675704882778696
                          Encrypted:false
                          SSDEEP:3:BvBAwxiIIOM+C8uzP:7AwkIRJuj
                          MD5:00B7C901338BF7B4226CBCF2B375518D
                          SHA1:C7FFF995851586FBC2BB957535B01D976E9C36A1
                          SHA-256:F9AF21F736C60A69BBCD927DB2272A67B16FAE747B9334D73C483C87F08D465F
                          SHA-512:DAB0FAF0065471600C4A61A85CBF6BD66C995136282C7A4116B1BF716397CE2580689CCACE6BA247E253174CF9D6635F5B48F904ED7F143386B9D36D6CCF1D93
                          Malicious:false
                          Reputation:low
                          Preview:...J.+.q....:.O.K.*@...[...%.....,.6.<.....2.@\.%.+.#.K.jK..

                          C:\ProgramData\Getscreen.me\logs\20240813.log

                          Download File
                          Process:C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):6544
                          Entropy (8bit):5.101516790100599
                          Encrypted:false
                          SSDEEP:192:lQs7Ry/85y8S092rpKkrPoJCo4+mLsXFG:fQGsfUDcsA
                          MD5:65374CDD92C68847FC80A6C91534C717
                          SHA1:AB8E8BFC3AAC365D87D8A1A44363B14B92287640
                          SHA-256:A9B1EE1C866321414EFBD98E6D8323D36409065BE49B71630972E0DB0856D07E
                          SHA-512:ADE27C907732F58E4C1B63436A2C1FD645EE644CB8114293BB36C5419727B2705CEB9F2637010103A0AF36C86E0642B4046CD6BCFBACFE7553F939F14306D0B2
                          Malicious:false
                          Reputation:low
                          Preview:07:06:40.819.INFO.GuiSessionList created new gui session for: 1, is active: false..07:06:40.819.INFO.Server start server run....07:06:40.820.INFO.Start Getscreen.me v 2.21.3 build 2 revision 0..07:06:40.894.INFO.GUI GUI started..07:06:41.027.INFO.CGuiSessionList m_active is null..07:06:41.473.INFO.CConfigStore Loaded config from `C:\ProgramData\Getscreen.me\folder\settings.dat`..07:06:41.473.ERROR.Service service 'GetscreenSV' not found..07:06:41.636.INFO.Service service 'GetscreenSV' installed..07:06:41.868.INFO.Service service 'GetscreenSV' start success..07:06:41.865.INFO.Service get control message 1..07:06:41.878.INFO.FrameMark hide frame..07:06:42.377.INFO.Service service 'GetscreenSV' stop [0] (87)..07:06:42.890.INFO.Service service 'GetscreenSV' removed..07:06:42.906.INFO.Child success get system token..07:06:42.906.INFO.Child start child process simply..07:06:42.907.INF

                          C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe

                          Download File
                          Process:C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                          Category:dropped
                          Size (bytes):3654440
                          Entropy (8bit):7.931175512125937
                          Encrypted:false
                          SSDEEP:98304:w2WbzRq8h0oEPel9/DLRAHyGBydPnYMJojL5Nb:w2ez4o0OmyVnvKLH
                          MD5:2E9DE68641B502474E5BA330FE5396BB
                          SHA1:A7A07FCC8643FEC59E4684AAA66C64C3232E693F
                          SHA-256:F942C4A0313D288BF7A48AA6438DDCEC9FBCCCD0E8C0107B61B233A0A823731A
                          SHA-512:B5F460EE55C415C5238D500C454F3A9AAE5ADFC9763573FA84C9694F4145AD69515FDDD46A819AFF5B5762E3DBA39888B1BA675EBE2771009A7ACA24AD4A7DEB
                          Malicious:true
                          Antivirus:
                          • Antivirus: Virustotal, Detection: 1%, Browse
                          Reputation:low
                          Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......iI/.-(AD-(AD-(ADfPBE.(AD.D)(AD.EE5(AD9WEE.(AD-(AD./ADfPFE,(AD.BE3(AD.DE](ADfPEE.(ADfPDE.(ADfPGE/(ADfP@En(AD-(@D.*AD>.HE.(AD>.AE,(AD>..D,(AD-(.D,(AD>.CE,(ADRich-(AD........................PE..L..../.f...............(.P7..P....=..)u...=..0u...@...........................u.......8...@..............................U..Pju......0u.P:............7.(/...qu. ............................+u.....<,u.............................................UPX0......=.............................UPX1.....P7...=..N7.................@....rsrc....P...0u..B...R7.............@..............................................................................................................................................................................................................................................................................................................4.22.UPX!....

                          C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

                          Download File
                          Process:C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):5.84375
                          Encrypted:false
                          SSDEEP:3:BvBAwxiIIOMpFl8g:7AwkIROFz
                          MD5:F6EF0C76DC981AF143C7FB794DF13F8B
                          SHA1:372E75981542A254DD6855A7E9AED68E1878A184
                          SHA-256:F702D40B2C523E9F62164DDE2458A6FA76B1254EE847D25A420CBA49D1F5A3F2
                          SHA-512:4A4CA46FC0B5EF91A5673526C124C4C389495EACC479EC0F52EA9757F70E89E8AF2418DD602C9511A64684DF534FABFB7A71ABBDB4A0BAFD473821BFE0862B3E
                          Malicious:false
                          Preview:...J.+.q....:.O.K.*@...[...%.....,.6.<.....2.8UO..u.C/.A{;

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                          Entropy (8bit):7.931175512125937
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.66%
                          • UPX compressed Win32 Executable (30571/9) 0.30%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:getscreen-156413884-x86.exe
                          File size:3'654'440 bytes
                          MD5:2e9de68641b502474e5ba330fe5396bb
                          SHA1:a7a07fcc8643fec59e4684aaa66c64c3232e693f
                          SHA256:f942c4a0313d288bf7a48aa6438ddcec9fbcccd0e8c0107b61b233a0a823731a
                          SHA512:b5f460ee55c415c5238d500c454f3a9aae5adfc9763573fa84c9694f4145ad69515fddd46a819aff5b5762e3dba39888b1ba675ebe2771009a7aca24ad4a7deb
                          SSDEEP:98304:w2WbzRq8h0oEPel9/DLRAHyGBydPnYMJojL5Nb:w2ez4o0OmyVnvKLH
                          TLSH:B50633E1ED6939A1D33D5CB8111B56BD73FAA03658FE23C78A1D9B219E347028F52113
                          File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......iI/.-(AD-(AD-(ADfPBE.(AD...D)(AD..EE5(AD9WEE.(AD-(AD./ADfPFE,(AD..BE3(AD..DE](ADfPEE.(ADfPDE.(ADfPGE/(ADfP@En(AD-(@D.*AD>.HE.(A

                          File Icon

                          Icon Hash:418c6963696c9643

                          Static PE Info

                          General

                          Entrypoint:0x1b529e0
                          Entrypoint Section:UPX1
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66912FD6 [Fri Jul 12 13:29:58 2024 UTC]
                          TLS Callbacks:0x1b52bd3
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:26c6aff4250b45d1c4ee6d86013ea70c

                          Authenticode Signature

                          Signature Valid:true
                          Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                          Signature Validation Error:The operation completed successfully
                          Error Number:0
                          Not Before, Not After
                          • 28/05/2024 15:50:28 28/06/2026 16:36:10
                          Subject Chain
                          • CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
                          Version:3
                          Thumbprint MD5:9B083870477F4699693EEECABF351BF8
                          Thumbprint SHA-1:B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
                          Thumbprint SHA-256:3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
                          Serial:7AE0E9C1CFE2DCE0E21C4327

                          Entrypoint Preview

                          Instruction
                          pushad
                          mov esi, 017DE000h
                          lea edi, dword ptr [esi-013DD000h]
                          push edi
                          or ebp, FFFFFFFFh
                          jmp 00007F21952A4CD2h
                          nop
                          nop
                          nop
                          nop
                          nop
                          nop
                          mov al, byte ptr [esi]
                          inc esi
                          mov byte ptr [edi], al
                          inc edi
                          add ebx, ebx
                          jne 00007F21952A4CC9h
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          jc 00007F21952A4CAFh
                          mov eax, 00000001h
                          add ebx, ebx
                          jne 00007F21952A4CC9h
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          adc eax, eax
                          add ebx, ebx
                          jnc 00007F21952A4CCDh
                          jne 00007F21952A4CEAh
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          jc 00007F21952A4CE1h
                          dec eax
                          add ebx, ebx
                          jne 00007F21952A4CC9h
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          adc eax, eax
                          jmp 00007F21952A4C96h
                          add ebx, ebx
                          jne 00007F21952A4CC9h
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          adc ecx, ecx
                          jmp 00007F21952A4D14h
                          xor ecx, ecx
                          sub eax, 03h
                          jc 00007F21952A4CD3h
                          shl eax, 08h
                          mov al, byte ptr [esi]
                          inc esi
                          xor eax, FFFFFFFFh
                          je 00007F21952A4D37h
                          sar eax, 1
                          mov ebp, eax
                          jmp 00007F21952A4CCDh
                          add ebx, ebx
                          jne 00007F21952A4CC9h
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          jc 00007F21952A4C8Eh
                          inc ecx
                          add ebx, ebx
                          jne 00007F21952A4CC9h
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          jc 00007F21952A4C80h
                          add ebx, ebx
                          jne 00007F21952A4CC9h
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          adc ecx, ecx
                          add ebx, ebx
                          jnc 00007F21952A4CB1h
                          jne 00007F21952A4CCBh
                          mov ebx, dword ptr [esi]
                          sub esi, FFFFFFFCh
                          adc ebx, ebx
                          jnc 00007F21952A4CA6h
                          add ecx, 02h
                          cmp ebp, FFFFFB00h
                          adc ecx, 02h
                          lea edx, dword ptr [eax+eax]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x820d900x5500UPX0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1756a500x6c0.rsrc
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x17530000x3a50.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x3794000x2f28UPX0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x17571100x20.rsrc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x1752bf40x18UPX1
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1752c3c0xc0UPX1
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          UPX00x10000x13dd0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          UPX10x13de0000x3750000x374e00a216f7d1a8e4e14b94fdfbca52f7b652unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x17530000x50000x42005871e1397e577651929aa76b50980e16False0.4675662878787879data5.104875966236682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          AFX_DIALOG_LAYOUT0x168ca980x2ASCII text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168caa00x2Non-ISO extended-ASCII text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cb080x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x16d4db00x2ASCII text, with no line terminators5.0
                          AFX_DIALOG_LAYOUT0x168caa80x2ISO-8859 text, with CR line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cb000x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cb100x2aDOS executable (COM, 0x8C-variant)RussianRussia1.2142857142857142
                          AFX_DIALOG_LAYOUT0x168cb400x22dataRussianRussia1.2647058823529411
                          AFX_DIALOG_LAYOUT0x168cb680x22dataRussianRussia1.2647058823529411
                          AFX_DIALOG_LAYOUT0x168cb900x22dataRussianRussia1.2647058823529411
                          AFX_DIALOG_LAYOUT0x168cbb80x22dataRussianRussia1.2647058823529411
                          AFX_DIALOG_LAYOUT0x168cbe00x2adataRussianRussia1.2142857142857142
                          AFX_DIALOG_LAYOUT0x168cc100x2ASCII text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc280x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc200x2dataRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc180x2ASCII textRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc300x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc380x2ASCII text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc400x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x16d4ff00x2ISO-8859 text, with no line terminatorsEnglishUnited States5.0
                          AFX_DIALOG_LAYOUT0x168cc480x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc500x2dataRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc580x2dataRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc600x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc680x2dataRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc700x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cab00x42dataRussianRussia1.1666666666666667
                          AFX_DIALOG_LAYOUT0x168caf80x2ISO-8859 text, with no line terminatorsRussianRussia5.0
                          AFX_DIALOG_LAYOUT0x168cc780x2ISO-8859 text, with no line terminators, with overstrikingRussianRussia5.0
                          INI0x16d3a180xadataRussianRussia1.8
                          LANG0x16ace600x1b82dataRussianRussia0.8660891792104516
                          LANG0x16ae9e80x26fbdataRussianRussia0.950796673013328
                          LANG0x16b10e80x1e2bdataRussianRussia0.9835556131037162
                          LANG0x16b2f180x1e5ddataRussianRussia0.9994853981731635
                          LANG0x16b4d780x1ca1dataRussianRussia0.9953608950743621
                          LANG0x16b6a200x21fddataRussianRussia0.983794966095851
                          LANG0x16b8c200x1de4dataRussianRussia0.9225039205436487
                          LANG0x16baa080x1a50dataRussianRussia0.962143705463183
                          LANG0x16bc4580x1d25dataRussianRussia0.9987937273823885
                          LANG0x16be1800x1e03dataRussianRussia0.9980476376415462
                          LANG0x16e7c380x1ddcdataEnglishUnited States0.9955520669806384
                          OPUS0x16bff880xa5e5dataRussianRussia0.9886505451034873
                          OPUS0x16ca5700x94a4dataRussianRussia0.978082623777988
                          RT_ICON0x168cc800x139dataRussianRussia1.035143769968051
                          RT_ICON0x168cdc00x1efdataRussianRussia1.0222222222222221
                          RT_ICON0x168cfb00x225dataRussianRussia1.0200364298724955
                          RT_ICON0x168d1d80x26bOpenPGP Public KeyRussianRussia1.0177705977382876
                          RT_ICON0x168d4480x326dataRussianRussia1.0136476426799008
                          RT_ICON0x168d7700x402dataRussianRussia1.010721247563353
                          RT_ICON0x17550f00x13bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedRussianRussia1.034920634920635
                          RT_ICON0x17552300x1c5PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedRussianRussia1.0242825607064017
                          RT_ICON0x17553fc0x1eePNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedRussianRussia1.0222672064777327
                          RT_ICON0x17555f00x253PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedRussianRussia1.0184873949579831
                          RT_ICON0x17558480x2e7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedRussianRussia1.0148048452220726
                          RT_ICON0x1755b340x3adPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedRussianRussia1.0116896918172158
                          RT_ICON0x168ea200xacdataRussianRussia1.063953488372093
                          RT_ICON0x168eae80x159dataRussianRussia1.0318840579710145
                          RT_ICON0x168ec480x1e6dataRussianRussia1.022633744855967
                          RT_ICON0x168ee300x1f6dataRussianRussia1.0219123505976095
                          RT_ICON0x168f0280x26ddataRussianRussia1.0177133655394526
                          RT_ICON0x168f2980x31bdataRussianRussia1.0138364779874214
                          RT_ICON0x168f5b80x3e7dataRussianRussia1.011011011011011
                          RT_ICON0x168fa000xddDOS executable (COM)RussianRussia1.0497737556561086
                          RT_ICON0x168faf80x10fdataRussianRussia1.040590405904059
                          RT_ICON0x168fc200x25a8dataRussianRussia0.999896265560166
                          RT_ICON0x16921e00x12ddataRussianRussia1.0365448504983388
                          RT_ICON0x16923280x106dataRussianRussia1.0419847328244274
                          RT_ICON0x16924480x109dataRussianRussia1.0415094339622641
                          RT_ICON0x16925700x171dataRussianRussia1.029810298102981
                          RT_ICON0x16927000x109ddataRussianRussia1.0025864095932282
                          RT_ICON0x16937b80xdd9dataRussianRussia1.0031029619181946
                          RT_ICON0x16945b00xc0edataRussianRussia1.0035644847699288
                          RT_ICON0x16951d80xb91dataRussianRussia1.0037149611617697
                          RT_ICON0x1695d880xdd9dataRussianRussia1.0031029619181946
                          RT_ICON0x1696b800x11cdataRussianRussia1.0387323943661972
                          RT_ICON0x1696cb80x116dataRussianRussia1.039568345323741
                          RT_ICON0x1696de80x1c4dataRussianRussia1.0243362831858407
                          RT_ICON0x1696fc80x1a1dataRussianRussia1.026378896882494
                          RT_ICON0x16971880x182dataRussianRussia1.028497409326425
                          RT_ICON0x16973280x222dataRussianRussia1.02014652014652
                          RT_ICON0x16975680x11fOpenPGP Secret KeyRussianRussia1.038327526132404
                          RT_ICON0x16976a00x103dataRussianRussia1.0424710424710424
                          RT_ICON0x16977c00x1588dataRussianRussia1.0019956458635704
                          RT_ICON0x1698d600x580dataRussianRussia1.0078125
                          RT_ICON0x16992f80x988dataRussianRussia1.0045081967213114
                          RT_ICON0x1699c980x25a8dataRussianRussia0.9986514522821577
                          RT_ICON0x169c2580x10828dataRussianRussia0.9908316573997398
                          RT_ICON0x16d3a280x163data1.0309859154929577
                          RT_ICON0x16d3b900x20ddata1.020952380952381
                          RT_ICON0x16d3da00x21bdata1.0148423005565863
                          RT_ICON0x16d3fc00x282data1.017133956386293
                          RT_ICON0x16d42480x33cdata1.0132850241545894
                          RT_ICON0x16d45880x413data1.0105465004793863
                          RT_ICON0x16d4a000x152data0.9792899408284024
                          RT_ICON0x16d4ff80x10a8dataEnglishUnited States0.9798311444652908
                          RT_ICON0x16d60b80x988dataEnglishUnited States1.0045081967213114
                          RT_ICON0x16d6a580x988dataEnglishUnited States0.9721311475409836
                          RT_ICON0x16d73f80x10828dataEnglishUnited States0.9158286998698687
                          RT_MENU0x16d4b700xf8data1.0161290322580645
                          RT_MENU0x16acd200xd2dataRussianRussia1.0523809523809524
                          RT_MENU0x16acdf80x66dataRussianRussia1.088235294117647
                          RT_MENU0x16d4c680x46data1.1571428571428573
                          RT_DIALOG0x168a0f00x490dataRussianRussia1.009417808219178
                          RT_DIALOG0x168a5800x78dataRussianRussia1.0916666666666666
                          RT_DIALOG0x16d4cb00x100data0.9765625
                          RT_DIALOG0x168a5f80x1f8dataRussianRussia1.0218253968253967
                          RT_DIALOG0x168acb00x190dataRussianRussia1.0275
                          RT_DIALOG0x168ae400x154dataRussianRussia1.0323529411764707
                          RT_DIALOG0x168af980xf4dataRussianRussia1.0450819672131149
                          RT_DIALOG0x168b0900x12cdataRussianRussia1.0366666666666666
                          RT_DIALOG0x168b1c00x110dataRussianRussia1.0404411764705883
                          RT_DIALOG0x168b2d00x128dataRussianRussia1.037162162162162
                          RT_DIALOG0x168b3f80x154dataRussianRussia1.0323529411764707
                          RT_DIALOG0x168b5500x7edataRussianRussia1.0873015873015872
                          RT_DIALOG0x168b8080x148dataRussianRussia1.0335365853658536
                          RT_DIALOG0x168b7380xd0dataRussianRussia1.0528846153846154
                          RT_DIALOG0x168b5d00x164dataRussianRussia1.0308988764044944
                          RT_DIALOG0x168b9500x14cdataRussianRussia1.033132530120482
                          RT_DIALOG0x168baa00x1f0dataRussianRussia1.0221774193548387
                          RT_DIALOG0x168bc900x284dataRussianRussia1.0170807453416149
                          RT_DIALOG0x16d4db80x232dataEnglishUnited States1.019572953736655
                          RT_DIALOG0x168bf180x182dataRussianRussia1.0129533678756477
                          RT_DIALOG0x168c0a00x68dataRussianRussia1.1057692307692308
                          RT_DIALOG0x168c1080x1f8DOS executable (COM, 0x8C-variant)RussianRussia1.0218253968253967
                          RT_DIALOG0x168c3000x218dataRussianRussia1.0205223880597014
                          RT_DIALOG0x168c5180x2badataRussianRussia1.015759312320917
                          RT_DIALOG0x168c7d80x242dataRussianRussia1.019031141868512
                          RT_DIALOG0x168a7f00x21cdataRussianRussia1.0203703703703704
                          RT_DIALOG0x168aa100x29adataRussianRussia1.0165165165165164
                          RT_DIALOG0x168ca200x72OpenPGP Secret KeyRussianRussia1.0964912280701755
                          RT_STRING0x16e9a180x38dataRussianRussia1.1964285714285714
                          RT_GROUP_ICON0x1755ee80x5adataRussianRussia0.8
                          RT_GROUP_ICON0x168db780x5adataRussianRussia1.1222222222222222
                          RT_GROUP_ICON0x16d49a00x5adata1.1222222222222222
                          RT_GROUP_ICON0x16977a80x14dataRussianRussia1.4
                          RT_GROUP_ICON0x168ead00x14dataRussianRussia1.4
                          RT_GROUP_ICON0x168f9a00x5adataRussianRussia1.1222222222222222
                          RT_GROUP_ICON0x1698d480x14Non-ISO extended-ASCII text, with CR line terminatorsRussianRussia1.45
                          RT_GROUP_ICON0x168fae00x14dataRussianRussia1.45
                          RT_GROUP_ICON0x168fc080x14dataRussianRussia1.2
                          RT_GROUP_ICON0x16921c80x14Non-ISO extended-ASCII text, with LF, NEL line terminatorsRussianRussia1.4
                          RT_GROUP_ICON0x16d4b580x14Non-ISO extended-ASCII text, with no line terminators1.4
                          RT_GROUP_ICON0x16923100x14dataRussianRussia1.4
                          RT_GROUP_ICON0x16924300x14locale data tableRussianRussia1.4
                          RT_GROUP_ICON0x16925580x14International EBCDIC text, with NEL line terminatorsRussianRussia1.45
                          RT_GROUP_ICON0x16926e80x14dataRussianRussia1.4
                          RT_GROUP_ICON0x16937a00x14Non-ISO extended-ASCII text, with no line terminators, with overstrikingRussianRussia1.45
                          RT_GROUP_ICON0x16945980x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16951c00x14Non-ISO extended-ASCII text, with no line terminatorsRussianRussia1.4
                          RT_GROUP_ICON0x1695d700x14dataRussianRussia1.45
                          RT_GROUP_ICON0x1696b680x14dataRussianRussia1.4
                          RT_GROUP_ICON0x1696ca00x14dataRussianRussia1.4
                          RT_GROUP_ICON0x1696dd00x14dataRussianRussia1.45
                          RT_GROUP_ICON0x1696fb00x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16971700x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16973100x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16975500x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16976880x14dataRussianRussia1.4
                          RT_GROUP_ICON0x16992e00x14dataRussianRussia1.45
                          RT_GROUP_ICON0x1699c800x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16d60a00x14dataEnglishUnited States1.45
                          RT_GROUP_ICON0x169c2400x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16aca800x14dataRussianRussia1.45
                          RT_GROUP_ICON0x16d6a400x14dataEnglishUnited States1.4
                          RT_GROUP_ICON0x16d73e00x14dataEnglishUnited States1.45
                          RT_GROUP_ICON0x16e7c200x14dataEnglishUnited States1.45
                          RT_VERSION0x1755f480x284dataRussianRussia0.468944099378882
                          RT_MANIFEST0x17561d00x87fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminatorsEnglishUnited States0.31264367816091954

                          Imports

                          DLLImport
                          ADVAPI32.dllFreeSid
                          COMCTL32.dll_TrackMouseEvent
                          d3d11.dllD3D11CreateDevice
                          dbghelp.dllStackWalk
                          dxgi.dllCreateDXGIFactory1
                          GDI32.dllLineTo
                          gdiplus.dllGdipFree
                          IPHLPAPI.DLLGetIfEntry2
                          KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                          MPR.dllWNetGetConnectionW
                          msdmo.dllMoInitMediaType
                          NETAPI32.dllNetUserGetInfo
                          ntdll.dllRtlGetVersion
                          NTDSAPI.dllDsMakeSpnW
                          ole32.dllOleCreate
                          OLEAUT32.dllSysFreeString
                          POWRPROF.dllPowerGetActiveScheme
                          RPCRT4.dllUuidEqual
                          SAS.dllSendSAS
                          Secur32.dllFreeCredentialsHandle
                          SHELL32.dll
                          SHLWAPI.dllPathFileExistsA
                          USER32.dllGetDC
                          USERENV.dllCreateEnvironmentBlock
                          UxTheme.dllIsThemeActive
                          VERSION.dllVerQueryValueW
                          WINHTTP.dllWinHttpOpen
                          WINMM.dllwaveInOpen
                          WINSPOOL.DRVGetPrinterW
                          WS2_32.dllWSASetLastError
                          WTSAPI32.dllWTSFreeMemory

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          RussianRussia
                          EnglishUnited States

                          Network Behavior

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Aug 13, 2024 09:06:44.008306026 CEST192.168.11.201.1.1.10x28cfStandard query (0)getscreen.meA (IP address)IN (0x0001)false
                          Aug 13, 2024 09:07:47.097349882 CEST192.168.11.201.1.1.10x7021Standard query (0)getscreen.meA (IP address)IN (0x0001)false
                          Aug 13, 2024 09:08:46.583831072 CEST192.168.11.201.1.1.10x83edStandard query (0)getscreen.meA (IP address)IN (0x0001)false
                          Aug 13, 2024 09:09:46.602049112 CEST192.168.11.201.1.1.10x7cecStandard query (0)getscreen.meA (IP address)IN (0x0001)false
                          Aug 13, 2024 09:10:46.605489969 CEST192.168.11.201.1.1.10x5629Standard query (0)getscreen.meA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Aug 13, 2024 09:06:44.183358908 CEST1.1.1.1192.168.11.200x28cfNo error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:06:44.183358908 CEST1.1.1.1192.168.11.200x28cfNo error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:06:44.183358908 CEST1.1.1.1192.168.11.200x28cfNo error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:07:47.272507906 CEST1.1.1.1192.168.11.200x7021No error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:07:47.272507906 CEST1.1.1.1192.168.11.200x7021No error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:07:47.272507906 CEST1.1.1.1192.168.11.200x7021No error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:08:46.751064062 CEST1.1.1.1192.168.11.200x83edNo error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:08:46.751064062 CEST1.1.1.1192.168.11.200x83edNo error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:08:46.751064062 CEST1.1.1.1192.168.11.200x83edNo error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:09:46.769257069 CEST1.1.1.1192.168.11.200x7cecNo error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:09:46.769257069 CEST1.1.1.1192.168.11.200x7cecNo error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:09:46.769257069 CEST1.1.1.1192.168.11.200x7cecNo error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:10:46.772159100 CEST1.1.1.1192.168.11.200x5629No error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:10:46.772159100 CEST1.1.1.1192.168.11.200x5629No error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                          Aug 13, 2024 09:10:46.772159100 CEST1.1.1.1192.168.11.200x5629No error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.11.204982178.47.165.254434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:06:44 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:06:45 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:06:45 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 6
                          server: lb1.getscreen.me
                          connection: close
                          2024-08-13 07:06:45 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.11.204982278.47.165.254434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:06:57 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:06:58 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:06:58 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 0
                          server: lb1.getscreen.me
                          connection: close
                          2024-08-13 07:06:58 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.11.204982378.47.165.254434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:07:17 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:07:17 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:07:17 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 4
                          server: lb1.getscreen.me
                          connection: close
                          2024-08-13 07:07:17 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.11.204982478.47.165.254434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:07:24 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:07:24 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:07:24 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 1
                          server: lb1.getscreen.me
                          connection: close
                          2024-08-13 07:07:24 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.11.204982578.47.165.254434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:07:34 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:07:35 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:07:35 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 3
                          server: lb1.getscreen.me
                          connection: close
                          2024-08-13 07:07:35 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.11.204982651.89.95.374434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:07:47 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:07:48 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:07:48 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 7
                          server: ov1.getscreen.me
                          connection: close
                          2024-08-13 07:07:48 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.11.204982751.89.95.374434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:07:50 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:07:51 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:07:51 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 6
                          server: ov1.getscreen.me
                          connection: close
                          2024-08-13 07:07:51 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.11.204982851.89.95.374434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:07:55 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.11.204982951.89.95.374434144C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          TimestampBytes transferredDirectionData
                          2024-08-13 07:08:00 UTC290OUTGET /signal/agent HTTP/1.1
                          Host: getscreen.me
                          Upgrade: websocket
                          Connection: Upgrade
                          Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                          Origin: https://getscreen.me
                          Sec-WebSocket-Protocol: chat, superchat
                          Sec-WebSocket-Version: 13
                          User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
                          2024-08-13 07:08:01 UTC265INHTTP/1.1 400 Bad Request
                          content-type: text/plain; charset=utf-8
                          sec-websocket-version: 13
                          x-content-type-options: nosniff
                          date: Tue, 13 Aug 2024 07:08:00 GMT
                          content-length: 12
                          x-envoy-upstream-service-time: 6
                          server: ov1.getscreen.me
                          connection: close
                          2024-08-13 07:08:01 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                          Data Ascii: Bad Request


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:03:06:40
                          Start date:13/08/2024
                          Path:C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\getscreen-156413884-x86.exe"
                          Imagebase:0x740000
                          File size:3'654'440 bytes
                          MD5 hash:2E9DE68641B502474E5BA330FE5396BB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:2
                          Start time:03:06:40
                          Start date:13/08/2024
                          Path:C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\getscreen-156413884-x86.exe" -gpipe \\.\pipe\PCommand97tdpsimneriwgrzu -gui
                          Imagebase:0x740000
                          File size:3'654'440 bytes
                          MD5 hash:2E9DE68641B502474E5BA330FE5396BB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:3
                          Start time:03:06:41
                          Start date:13/08/2024
                          Path:C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\ProgramData\Getscreen.me\nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.exe" -elevate \\.\pipe\elevateGS512nqdzlqpayjfioefvlkmbvgukrpwcnna
                          Imagebase:0x790000
                          File size:3'654'440 bytes
                          MD5 hash:2E9DE68641B502474E5BA330FE5396BB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 1%, Virustotal, Browse
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:4
                          Start time:03:06:43
                          Start date:13/08/2024
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                          Imagebase:0x7ff653ca0000
                          File size:57'360 bytes
                          MD5 hash:F586835082F632DC8D9404D83BC16316
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:5
                          Start time:03:06:43
                          Start date:13/08/2024
                          Path:C:\Users\user\Desktop\getscreen-156413884-x86.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\getscreen-156413884-x86.exe" -cpipe \\.\pipe\PCommand96gztzxiecsokzuwc -cmem 0000pipe0PCommand96gztzxiecsokzuwcm969vla39a23oue -child
                          Imagebase:0x740000
                          File size:3'654'440 bytes
                          MD5 hash:2E9DE68641B502474E5BA330FE5396BB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:1.2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:2.8%
                            Total number of Nodes:247
                            Total number of Limit Nodes:11
                            execution_graph 13970 8ab829 SetLastError 13971 8ab88c 13970->13971 13975 8ab841 13970->13975 13979 d1f1f8 13971->13979 13980 d1f206 13979->13980 13983 e023ce 13980->13983 13982 d1f214 13984 e02415 KiUserExceptionDispatcher 13983->13984 13985 e023e8 13983->13985 13984->13982 13985->13984 13986 79d00a 13997 79be18 13986->13997 13990 79d01f 14013 832edc 13990->14013 13992 79d030 13993 79be18 11 API calls 13992->13993 13994 79d049 13993->13994 13995 79c13c 5 API calls 13994->13995 13996 79d052 13995->13996 13998 79be39 13997->13998 13999 79be41 13997->13999 14007 79c13c 13998->14007 14024 dfff78 RtlAcquireSRWLockExclusive 13999->14024 14001 79be4b 14001->13998 14029 dffecc 14001->14029 14003 79be5e 14036 79be80 RtlInitializeCriticalSection TlsAlloc 14003->14036 14005 79be6a 14037 dfff27 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive RtlWakeAllConditionVariable 14005->14037 14008 79c14a 14007->14008 14009 79c153 TlsGetValue 14007->14009 14053 79c178 14008->14053 14011 79c151 14009->14011 14012 79c167 TlsSetValue 14009->14012 14011->14012 14012->13990 14014 83300b 14013->14014 14019 832f33 14013->14019 14016 dfff78 3 API calls 14014->14016 14015 832fbf KiUserExceptionDispatcher 14015->13992 14017 833015 14016->14017 14017->14019 14020 833025 GetModuleHandleA GetProcAddress 14017->14020 14018 832f92 GetCurrentThread 14022 832fb5 SetThreadDescription 14018->14022 14019->14015 14019->14018 14056 dfff27 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive RtlWakeAllConditionVariable 14020->14056 14022->14015 14023 833059 14023->14019 14028 dfff8c 14024->14028 14025 dfff91 RtlReleaseSRWLockExclusive 14025->14001 14028->14025 14038 dfffc7 SleepConditionVariableSRW 14028->14038 14031 dffed1 14029->14031 14030 dffeeb 14030->14003 14031->14030 14033 dffeed 14031->14033 14039 e1bfcd 14031->14039 14034 e023ce KiUserExceptionDispatcher 14033->14034 14035 e00ffb 14034->14035 14035->14003 14036->14005 14037->13998 14038->14028 14042 e1bff9 14039->14042 14043 e1c005 14042->14043 14048 e0f2a5 RtlEnterCriticalSection 14043->14048 14045 e1c010 14049 e1c047 14045->14049 14048->14045 14052 e0f2ed RtlLeaveCriticalSection 14049->14052 14051 e1bfd8 14051->14031 14052->14051 14054 dffecc 3 API calls 14053->14054 14055 79c187 14054->14055 14055->14011 14056->14023 14057 1e929e0 14059 1e929f8 14057->14059 14058 1e92b03 LoadLibraryA 14058->14059 14059->14058 14061 1e92b2c GetProcAddress 14059->14061 14062 1e92b48 VirtualProtect VirtualProtect 14059->14062 14061->14059 14064 1e92b42 ExitProcess 14061->14064 14063 1e92bc0 14062->14063 14065 7a9140 14066 7a919d 14065->14066 14068 7a9150 14065->14068 14069 7a7900 14068->14069 14070 7a7984 14069->14070 14072 7a790c 14069->14072 14070->14066 14072->14072 14073 e05f15 14072->14073 14076 e1f066 14073->14076 14075 e05f2d 14075->14070 14077 e1f071 RtlFreeHeap 14076->14077 14079 e1f093 14076->14079 14078 e1f086 GetLastError 14077->14078 14077->14079 14078->14079 14079->14075 14080 e0b62b 14081 e0b637 14080->14081 14082 e0b64b 14081->14082 14083 e0b63e GetLastError RtlExitUserThread 14081->14083 14086 e1f42c GetLastError 14082->14086 14083->14082 14085 e0b650 14087 e1f442 14086->14087 14097 e1f44c SetLastError 14087->14097 14122 e1f717 14087->14122 14090 e1f4dc 14090->14085 14091 e1f479 14092 e1f481 14091->14092 14093 e1f4b9 14091->14093 14095 e1f066 2 API calls 14092->14095 14127 e1f25a 14093->14127 14094 e1f4e1 14101 e1f717 3 API calls 14094->14101 14102 e1f4fe 14094->14102 14095->14097 14097->14090 14097->14094 14099 e1f503 14099->14085 14100 e1f066 2 API calls 14100->14097 14104 e1f522 14101->14104 14102->14099 14103 e1f57d GetLastError 14102->14103 14105 e1f593 14103->14105 14106 e1f52a 14104->14106 14107 e1f55e 14104->14107 14111 e1f717 3 API calls 14105->14111 14120 e1f59d SetLastError 14105->14120 14108 e1f066 2 API calls 14106->14108 14109 e1f25a 4 API calls 14107->14109 14108->14102 14112 e1f569 14109->14112 14114 e1f5ca 14111->14114 14113 e1f066 2 API calls 14112->14113 14113->14099 14115 e1f5d2 14114->14115 14116 e1f60a 14114->14116 14118 e1f066 2 API calls 14115->14118 14117 e1f25a 4 API calls 14116->14117 14119 e1f615 14117->14119 14118->14120 14121 e1f066 2 API calls 14119->14121 14120->14085 14121->14120 14125 e1f724 14122->14125 14123 e1f74f RtlAllocateHeap 14124 e1f762 14123->14124 14123->14125 14124->14091 14125->14123 14125->14124 14126 e1bfcd 2 API calls 14125->14126 14126->14125 14132 e1f0ee 14127->14132 14133 e1f0fa 14132->14133 14146 e0f2a5 RtlEnterCriticalSection 14133->14146 14135 e1f104 14147 e1f134 14135->14147 14138 e1f200 14139 e1f20c 14138->14139 14151 e0f2a5 RtlEnterCriticalSection 14139->14151 14141 e1f216 14152 e1f3e1 14141->14152 14143 e1f22e 14156 e1f24e 14143->14156 14146->14135 14150 e0f2ed RtlLeaveCriticalSection 14147->14150 14149 e1f122 14149->14138 14150->14149 14151->14141 14153 e1f3f0 14152->14153 14155 e1f417 14152->14155 14153->14155 14159 e2bdf2 14153->14159 14155->14143 14273 e0f2ed RtlLeaveCriticalSection 14156->14273 14158 e1f23c 14158->14100 14160 e2be72 14159->14160 14164 e2be08 14159->14164 14161 e2bec0 14160->14161 14163 e1f066 2 API calls 14160->14163 14227 e2bf63 14161->14227 14165 e2be94 14163->14165 14164->14160 14166 e2be3b 14164->14166 14171 e1f066 2 API calls 14164->14171 14167 e1f066 2 API calls 14165->14167 14168 e2be5d 14166->14168 14175 e1f066 2 API calls 14166->14175 14169 e2bea7 14167->14169 14170 e1f066 2 API calls 14168->14170 14174 e1f066 2 API calls 14169->14174 14176 e2be67 14170->14176 14173 e2be30 14171->14173 14172 e2bece 14177 e2bf2e 14172->14177 14186 e1f066 RtlFreeHeap GetLastError 14172->14186 14187 e2b237 14173->14187 14179 e2beb5 14174->14179 14180 e2be52 14175->14180 14181 e1f066 2 API calls 14176->14181 14182 e1f066 2 API calls 14177->14182 14184 e1f066 2 API calls 14179->14184 14215 e2b696 14180->14215 14181->14160 14183 e2bf34 14182->14183 14183->14155 14184->14161 14186->14172 14188 e2b248 14187->14188 14214 e2b331 14187->14214 14189 e2b259 14188->14189 14191 e1f066 2 API calls 14188->14191 14190 e2b26b 14189->14190 14192 e1f066 2 API calls 14189->14192 14193 e2b27d 14190->14193 14194 e1f066 2 API calls 14190->14194 14191->14189 14192->14190 14195 e2b28f 14193->14195 14196 e1f066 2 API calls 14193->14196 14194->14193 14197 e2b2a1 14195->14197 14199 e1f066 2 API calls 14195->14199 14196->14195 14198 e2b2b3 14197->14198 14200 e1f066 2 API calls 14197->14200 14201 e2b2c5 14198->14201 14202 e1f066 2 API calls 14198->14202 14199->14197 14200->14198 14203 e2b2d7 14201->14203 14204 e1f066 2 API calls 14201->14204 14202->14201 14205 e2b2e9 14203->14205 14207 e1f066 2 API calls 14203->14207 14204->14203 14206 e2b2fb 14205->14206 14208 e1f066 2 API calls 14205->14208 14209 e1f066 2 API calls 14206->14209 14211 e2b30d 14206->14211 14207->14205 14208->14206 14209->14211 14210 e2b31f 14213 e1f066 2 API calls 14210->14213 14210->14214 14211->14210 14212 e1f066 2 API calls 14211->14212 14212->14210 14213->14214 14214->14166 14216 e2b6a3 14215->14216 14226 e2b6fb 14215->14226 14217 e2b6b3 14216->14217 14218 e1f066 2 API calls 14216->14218 14219 e2b6c5 14217->14219 14220 e1f066 2 API calls 14217->14220 14218->14217 14221 e1f066 2 API calls 14219->14221 14224 e2b6d7 14219->14224 14220->14219 14221->14224 14222 e1f066 2 API calls 14223 e2b6e9 14222->14223 14225 e1f066 2 API calls 14223->14225 14223->14226 14224->14222 14224->14223 14225->14226 14226->14168 14228 e2bf70 14227->14228 14229 e2bf8f 14227->14229 14228->14229 14233 e2bbbd 14228->14233 14229->14172 14232 e1f066 2 API calls 14232->14229 14234 e2bc9b 14233->14234 14235 e2bbce 14233->14235 14234->14232 14269 e2b91c 14235->14269 14238 e2b91c 2 API calls 14239 e2bbe1 14238->14239 14240 e2b91c 2 API calls 14239->14240 14241 e2bbec 14240->14241 14242 e2b91c 2 API calls 14241->14242 14243 e2bbf7 14242->14243 14244 e2b91c 2 API calls 14243->14244 14245 e2bc05 14244->14245 14246 e1f066 2 API calls 14245->14246 14247 e2bc10 14246->14247 14248 e1f066 2 API calls 14247->14248 14249 e2bc1b 14248->14249 14250 e1f066 2 API calls 14249->14250 14251 e2bc26 14250->14251 14252 e2b91c 2 API calls 14251->14252 14253 e2bc34 14252->14253 14254 e2b91c 2 API calls 14253->14254 14255 e2bc42 14254->14255 14256 e2b91c 2 API calls 14255->14256 14257 e2bc53 14256->14257 14258 e2b91c 2 API calls 14257->14258 14259 e2bc61 14258->14259 14260 e2b91c 2 API calls 14259->14260 14261 e2bc6f 14260->14261 14262 e1f066 2 API calls 14261->14262 14263 e2bc7a 14262->14263 14264 e1f066 2 API calls 14263->14264 14265 e2bc85 14264->14265 14266 e1f066 2 API calls 14265->14266 14267 e2bc90 14266->14267 14268 e1f066 2 API calls 14267->14268 14268->14234 14270 e2b92e 14269->14270 14271 e2b93d 14270->14271 14272 e1f066 2 API calls 14270->14272 14271->14238 14272->14270 14273->14158

                            Executed Functions

                            Function 01E929E0 Relevance: 7.7, APIs: 5, Instructions: 212librarymemoryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 14 1e929e0-1e929f0 15 1e92a02-1e92a07 14->15 16 1e92a09 15->16 17 1e929f8-1e929fd 16->17 18 1e92a0b 16->18 19 1e929fe-1e92a00 17->19 20 1e92a10-1e92a12 18->20 19->15 19->16 21 1e92a1b-1e92a1f 20->21 22 1e92a14-1e92a19 20->22 23 1e92a2c-1e92a2f 21->23 24 1e92a21 21->24 22->21 27 1e92a38-1e92a3a 23->27 28 1e92a31-1e92a36 23->28 25 1e92a4b-1e92a50 24->25 26 1e92a23-1e92a2a 24->26 29 1e92a63-1e92a65 25->29 30 1e92a52-1e92a5b 25->30 26->23 26->25 27->20 28->27 33 1e92a6e 29->33 34 1e92a67-1e92a6c 29->34 31 1e92a5d-1e92a61 30->31 32 1e92ad2-1e92ad5 30->32 31->33 37 1e92ada 32->37 35 1e92a3c-1e92a3e 33->35 36 1e92a70-1e92a73 33->36 34->33 41 1e92a40-1e92a45 35->41 42 1e92a47-1e92a49 35->42 39 1e92a7c 36->39 40 1e92a75-1e92a7a 36->40 38 1e92adc-1e92ade 37->38 43 1e92ae0-1e92ae3 38->43 44 1e92af7 38->44 39->35 45 1e92a7e-1e92a80 39->45 40->39 41->42 46 1e92a9d-1e92aac 42->46 43->38 47 1e92ae5-1e92af5 43->47 48 1e92afd-1e92b01 44->48 49 1e92a89-1e92a8d 45->49 50 1e92a82-1e92a87 45->50 51 1e92abc-1e92ac9 46->51 52 1e92aae-1e92ab5 46->52 47->37 53 1e92b48-1e92b4b 48->53 54 1e92b03-1e92b19 LoadLibraryA 48->54 49->45 55 1e92a8f 49->55 50->49 51->51 57 1e92acb-1e92acd 51->57 52->52 56 1e92ab7 52->56 61 1e92b4e-1e92b55 53->61 58 1e92b1a-1e92b1f 54->58 59 1e92a9a 55->59 60 1e92a91-1e92a98 55->60 56->19 57->19 58->48 62 1e92b21-1e92b23 58->62 59->46 60->45 60->59 63 1e92b79-1e92bbd VirtualProtect * 2 61->63 64 1e92b57-1e92b59 61->64 65 1e92b2c-1e92b39 GetProcAddress 62->65 66 1e92b25-1e92b2b 62->66 69 1e92bc0-1e92bc1 63->69 67 1e92b5b-1e92b6a 64->67 68 1e92b6c-1e92b77 64->68 70 1e92b3b-1e92b40 65->70 71 1e92b42 ExitProcess 65->71 66->65 67->61 68->67 72 1e92bc5-1e92bc9 69->72 70->58 72->72 73 1e92bcb 72->73
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 01E92B13
                            • GetProcAddress.KERNEL32(?,01E6CFF9), ref: 01E92B31
                            • ExitProcess.KERNEL32(?,01E6CFF9), ref: 01E92B42
                            • VirtualProtect.KERNEL32(00740000,00001000,00000004,?,00000000), ref: 01E92B90
                            • VirtualProtect.KERNEL32(00740000,00001000), ref: 01E92BA5
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                            • String ID:
                            • API String ID: 1996367037-0
                            • Opcode ID: 3c3e4e1660f31b76f3217510b8a4a34511a40d85c57fd981d39193e29dff6a9b
                            • Instruction ID: 391c61bb0c683ec58ecfee36cbc39f1b252ca285cad72aaf2d7eb62838771f35
                            • Opcode Fuzzy Hash: 3c3e4e1660f31b76f3217510b8a4a34511a40d85c57fd981d39193e29dff6a9b
                            • Instruction Fuzzy Hash: C0510473A103136ADF318E6CDCC06ACB795EB452247581738DBE2D73C6E7E858468364
                            Function 00832EDC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91threadlibraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentThread.KERNEL32 ref: 00832FA5
                            • SetThreadDescription.KERNELBASE(00000000,?), ref: 00832FBD
                            • KiUserExceptionDispatcher.NTDLL(406D1388,00000000,00000004,?), ref: 00832FEA
                            • GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 00833031
                            • GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 0083303D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Thread$AddressCurrentDescriptionDispatcherExceptionHandleModuleProcUser
                            • String ID: Kernel32.dll$SetThreadDescription
                            • API String ID: 2856497764-1724334159
                            • Opcode ID: 5eb737a3f5d7115e918a15001cdff54b5202bfa5fbac9cbf4e64fca405ade5ea
                            • Instruction ID: 983dbbf7c7da133107bde0674b3ca00bad7aeba072b2445c81bf3881a9b93ce4
                            • Opcode Fuzzy Hash: 5eb737a3f5d7115e918a15001cdff54b5202bfa5fbac9cbf4e64fca405ade5ea
                            • Instruction Fuzzy Hash: 72418EB1D007899FD720CF54DC88BA9B7B4FF8A720F108359E865A7391DB744985CB91
                            Function 00E1F42C Relevance: 5.2, APIs: 4, Instructions: 192COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 74 e1f42c-e1f440 GetLastError 75 e1f442-e1f44a call e211b4 74->75 76 e1f45c-e1f466 call e211f3 74->76 81 e1f457 75->81 82 e1f44c-e1f455 75->82 83 e1f468-e1f46a 76->83 84 e1f46c-e1f474 call e1f717 76->84 81->76 85 e1f4d1-e1f4da SetLastError 82->85 83->85 89 e1f479-e1f47f 84->89 87 e1f4e1-e1f4f0 call e06463 85->87 88 e1f4dc-e1f4e0 85->88 98 e1f4f2-e1f4fc call e211b4 87->98 99 e1f50a-e1f514 call e211f3 87->99 91 e1f481-e1f490 call e211f3 89->91 92 e1f492-e1f4a0 call e211f3 89->92 100 e1f4b1-e1f4b7 call e1f066 91->100 101 e1f4a2-e1f4b0 call e211f3 92->101 102 e1f4b9-e1f4ce call e1f25a call e1f066 92->102 111 e1f505 98->111 112 e1f4fe-e1f501 98->112 115 e1f577-e1f591 call e06463 GetLastError 99->115 116 e1f516-e1f528 call e1f717 99->116 119 e1f4d0 100->119 101->100 102->119 111->99 112->115 118 e1f503 112->118 130 e1f593-e1f59b call e211b4 115->130 131 e1f5ad-e1f5b7 call e211f3 115->131 126 e1f52a-e1f536 call e211f3 116->126 127 e1f53f-e1f54d call e211f3 116->127 124 e1f573-e1f576 118->124 119->85 137 e1f537-e1f53d call e1f066 126->137 139 e1f54f-e1f55c call e211f3 127->139 140 e1f55e-e1f570 call e1f25a call e1f066 127->140 143 e1f5a8 130->143 144 e1f59d-e1f5a6 130->144 147 e1f5b9-e1f5bb 131->147 148 e1f5bd-e1f5d0 call e1f717 131->148 137->115 139->137 140->124 143->131 149 e1f622-e1f62d SetLastError 144->149 147->149 157 e1f5e3-e1f5f1 call e211f3 148->157 158 e1f5d2-e1f5e1 call e211f3 148->158 164 e1f5f3-e1f601 call e211f3 157->164 165 e1f60a-e1f61f call e1f25a call e1f066 157->165 163 e1f602-e1f608 call e1f066 158->163 173 e1f621 163->173 164->163 165->173 173->149
                            APIs
                            • GetLastError.KERNEL32(?,?,00E0B650,00F60388,0000000C), ref: 00E1F430
                            • SetLastError.KERNEL32(00000000), ref: 00E1F4D2
                            • GetLastError.KERNEL32(00000000,?,00E05FDD,00E1F0E3,?,?,00DAF77A,0000000C,?,?,?,?,00D227D2,?,?,?), ref: 00E1F581
                            • SetLastError.KERNEL32(00000000,000000FF,00000006), ref: 00E1F623
                              • Part of subcall function 00E1F717: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00E1F758
                              • Part of subcall function 00E1F066: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2B935,?,00000000,?,?,00E2BBD6,?,00000007,?,?,00E2BF89,?,?), ref: 00E1F07C
                              • Part of subcall function 00E1F066: GetLastError.KERNEL32(?,?,00E2B935,?,00000000,?,?,00E2BBD6,?,00000007,?,?,00E2BF89,?,?), ref: 00E1F087
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorLast$Heap$AllocateFree
                            • String ID:
                            • API String ID: 2037364846-0
                            • Opcode ID: 30a1303a25e3fc17586513998c0fc702bef44ee55c28445dd1772e7423a270b2
                            • Instruction ID: 86c83acbbdd2d07543e59be71c3ede325a97e0733c97606a87b24136a4e6e58b
                            • Opcode Fuzzy Hash: 30a1303a25e3fc17586513998c0fc702bef44ee55c28445dd1772e7423a270b2
                            • Instruction Fuzzy Hash: 89515D7661A3216ED6113B78BC87EEB368DAF14378F102270F724BA1E1DB248ED191D1
                            Function 00E0B62B Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetLastError.KERNEL32(00F60388,0000000C), ref: 00E0B63E
                            • RtlExitUserThread.NTDLL(00000000), ref: 00E0B645
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorExitLastThreadUser
                            • String ID:
                            • API String ID: 1750398979-0
                            • Opcode ID: 20c702f8eb4a4f1d09fa1df70841d5b491034839501e3b64d69212977764bbf0
                            • Instruction ID: e70983f9302ad3213ab65a109bf384cab2291cba1f74aeca5e1488578c76322e
                            • Opcode Fuzzy Hash: 20c702f8eb4a4f1d09fa1df70841d5b491034839501e3b64d69212977764bbf0
                            • Instruction Fuzzy Hash: 93F0C2B5A406049FDB04AFB0E80AB6E7BB4FF41710F205188F011BB2E2CB319981CBA1
                            Function 00E1F066 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 194 e1f066-e1f06f 195 e1f071-e1f084 RtlFreeHeap 194->195 196 e1f09e-e1f09f 194->196 195->196 197 e1f086-e1f09d GetLastError call e05f3b call e05fd8 195->197 197->196
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,00E2B935,?,00000000,?,?,00E2BBD6,?,00000007,?,?,00E2BF89,?,?), ref: 00E1F07C
                            • GetLastError.KERNEL32(?,?,00E2B935,?,00000000,?,?,00E2BBD6,?,00000007,?,?,00E2BF89,?,?), ref: 00E1F087
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 485612231-0
                            • Opcode ID: b020231825db68da30ff995e801a8abb5c03ebc3394ee0c89d842ce0cff53336
                            • Instruction ID: 8b540874914e115e72feaf95fba04187f469ce4b03d478f4b39f2d46948bad35
                            • Opcode Fuzzy Hash: b020231825db68da30ff995e801a8abb5c03ebc3394ee0c89d842ce0cff53336
                            • Instruction Fuzzy Hash: CAE086722006086BDB212BA1ED097993A99AB05755F115020F60CB60E1D7748C81CBA4
                            Function 00E023CE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 202 e023ce-e023e6 203 e02415-e02437 KiUserExceptionDispatcher 202->203 204 e023e8-e023eb 202->204 205 e0240b-e0240e 204->205 206 e023ed-e02409 204->206 205->203 207 e02410 205->207 206->203 206->205 207->203
                            APIs
                            • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,?,?,00000001), ref: 00E0242E
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: DispatcherExceptionUser
                            • String ID:
                            • API String ID: 6842923-0
                            • Opcode ID: 173e8a952e85795111be0358260f4561e2ad5b21901bd09115edf7c95a474c93
                            • Instruction ID: 2a2114963e4ca167ff0051bf8e82c3ddf7c8a3b1341b854a38e13d8c6cb46e91
                            • Opcode Fuzzy Hash: 173e8a952e85795111be0358260f4561e2ad5b21901bd09115edf7c95a474c93
                            • Instruction Fuzzy Hash: 70018F75A00208AFC7019F5DD884B9EBBF9EF88714F154169EA15AB390D770ED41CB90
                            Function 00E1F717 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 210 e1f717-e1f722 211 e1f730-e1f736 210->211 212 e1f724-e1f72e 210->212 214 e1f738-e1f739 211->214 215 e1f74f-e1f760 RtlAllocateHeap 211->215 212->211 213 e1f764-e1f76f call e05fd8 212->213 219 e1f771-e1f773 213->219 214->215 216 e1f762 215->216 217 e1f73b-e1f742 call e1e7a5 215->217 216->219 217->213 223 e1f744-e1f74d call e1bfcd 217->223 223->213 223->215
                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00E1F758
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: f693c1232b036711f5dc43f0bcff34894fe04e79fdef286edb6913cac42226fc
                            • Instruction ID: f6c0a0c4399d7c2e869f0c307725d0f5eab5f5801ade1dc6718a9db44b3704f0
                            • Opcode Fuzzy Hash: f693c1232b036711f5dc43f0bcff34894fe04e79fdef286edb6913cac42226fc
                            • Instruction Fuzzy Hash: 48F0E93162022466EB216E269C05BDB3789AF41774B156033FC14F71C0CB30D88186E0
                            Function 008AB829 Relevance: 1.3, APIs: 1, Instructions: 98COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 226 8ab829-8ab83f SetLastError 227 8ab88c-8ab8c0 call d1f1f8 call dffecc 226->227 228 8ab841-8ab84e 226->228 235 8ab8c2-8ab8dd 227->235 236 8ab8e0-8ab8fc 227->236 234 8ab852-8ab854 228->234 237 8ab883-8ab889 234->237 238 8ab856-8ab85b 234->238 235->236 241 8ab8fe-8ab901 236->241 242 8ab903 236->242 239 8ab87a-8ab880 call dffc88 238->239 240 8ab85d-8ab875 238->240 239->237 240->239 244 8ab906-8ab91e call c92ba0 241->244 242->244
                            APIs
                            • SetLastError.KERNEL32(00000000), ref: 008AB834
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: 14c0d35bee7b76e9fdb2ceac20964509794def159990583e9de6aa631136a159
                            • Instruction ID: 34f4fa09e0ba21be090da8d9603ed58ad8fb9450fb79702d52b8612fe5401ce4
                            • Opcode Fuzzy Hash: 14c0d35bee7b76e9fdb2ceac20964509794def159990583e9de6aa631136a159
                            • Instruction Fuzzy Hash: E231AFB5B003289FD710DF69C884A6ABBA9FF89710B054529EA4997741D731FC40CBE0

                            Non-executed Functions

                            Function 00DB7449 Relevance: 224.3, APIs: 64, Strings: 64, Instructions: 269libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(wtsapi32.dll,00DB7168), ref: 00DB744E
                            • GetProcAddress.KERNEL32(00000000,WTSStopRemoteControlSession), ref: 00DB746B
                            • GetProcAddress.KERNEL32(WTSStartRemoteControlSessionW), ref: 00DB747D
                            • GetProcAddress.KERNEL32(WTSStartRemoteControlSessionA), ref: 00DB748F
                            • GetProcAddress.KERNEL32(WTSConnectSessionW), ref: 00DB74A1
                            • GetProcAddress.KERNEL32(WTSConnectSessionA), ref: 00DB74B3
                            • GetProcAddress.KERNEL32(WTSEnumerateServersW), ref: 00DB74C5
                            • GetProcAddress.KERNEL32(WTSEnumerateServersA), ref: 00DB74D7
                            • GetProcAddress.KERNEL32(WTSOpenServerW), ref: 00DB74E9
                            • GetProcAddress.KERNEL32(WTSOpenServerA), ref: 00DB74FB
                            • GetProcAddress.KERNEL32(WTSOpenServerExW), ref: 00DB750D
                            • GetProcAddress.KERNEL32(WTSOpenServerExA), ref: 00DB751F
                            • GetProcAddress.KERNEL32(WTSCloseServer), ref: 00DB7531
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsW), ref: 00DB7543
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsA), ref: 00DB7555
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsExW), ref: 00DB7567
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsExA), ref: 00DB7579
                            • GetProcAddress.KERNEL32(WTSEnumerateProcessesW), ref: 00DB758B
                            • GetProcAddress.KERNEL32(WTSEnumerateProcessesA), ref: 00DB759D
                            • GetProcAddress.KERNEL32(WTSTerminateProcess), ref: 00DB75AF
                            • GetProcAddress.KERNEL32(WTSQuerySessionInformationW), ref: 00DB75C1
                            • GetProcAddress.KERNEL32(WTSQuerySessionInformationA), ref: 00DB75D3
                            • GetProcAddress.KERNEL32(WTSQueryUserConfigW), ref: 00DB75E5
                            • GetProcAddress.KERNEL32(WTSQueryUserConfigA), ref: 00DB75F7
                            • GetProcAddress.KERNEL32(WTSSetUserConfigW), ref: 00DB7609
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WTSCloseServer$WTSConnectSessionA$WTSConnectSessionW$WTSCreateListenerA$WTSCreateListenerW$WTSDisconnectSession$WTSEnableChildSessions$WTSEnumerateListenersA$WTSEnumerateListenersW$WTSEnumerateProcessesA$WTSEnumerateProcessesExA$WTSEnumerateProcessesExW$WTSEnumerateProcessesW$WTSEnumerateServersA$WTSEnumerateServersW$WTSEnumerateSessionsA$WTSEnumerateSessionsExA$WTSEnumerateSessionsExW$WTSEnumerateSessionsW$WTSFreeMemory$WTSFreeMemoryExA$WTSFreeMemoryExW$WTSGetActiveConsoleSessionId$WTSGetChildSessionId$WTSGetListenerSecurityA$WTSGetListenerSecurityW$WTSIsChildSessionsEnabled$WTSLogoffSession$WTSOpenServerA$WTSOpenServerExA$WTSOpenServerExW$WTSOpenServerW$WTSQueryListenerConfigA$WTSQueryListenerConfigW$WTSQuerySessionInformationA$WTSQuerySessionInformationW$WTSQueryUserConfigA$WTSQueryUserConfigW$WTSQueryUserToken$WTSRegisterSessionNotification$WTSRegisterSessionNotificationEx$WTSSendMessageA$WTSSendMessageW$WTSSetListenerSecurityA$WTSSetListenerSecurityW$WTSSetUserConfigA$WTSSetUserConfigW$WTSShutdownSystem$WTSStartRemoteControlSessionA$WTSStartRemoteControlSessionW$WTSStopRemoteControlSession$WTSTerminateProcess$WTSUnRegisterSessionNotification$WTSUnRegisterSessionNotificationEx$WTSVirtualChannelClose$WTSVirtualChannelOpen$WTSVirtualChannelOpenEx$WTSVirtualChannelPurgeInput$WTSVirtualChannelPurgeOutput$WTSVirtualChannelQuery$WTSVirtualChannelRead$WTSVirtualChannelWrite$WTSWaitSystemEvent$wtsapi32.dll
                            • API String ID: 2238633743-2998606599
                            • Opcode ID: 58f037b4dfcc0c0f6153050d52cb80cf1f43709ff7803f71061a8f5da0502f32
                            • Instruction ID: 889e04a529bee836fa364e9f33b3c2be857b4fef63ba590a49f0ca02da6b30e0
                            • Opcode Fuzzy Hash: 58f037b4dfcc0c0f6153050d52cb80cf1f43709ff7803f71061a8f5da0502f32
                            • Instruction Fuzzy Hash: 56B158B4D44315EBCB315F79AC4A8063EA3E7047783808917E9845E2BAE6BF8050FF91
                            Function 00D6E4DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 138registrythreadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB6B05: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,00000000,00000000,00000000,?,00D6E59B,00000001,00006060,00000010), ref: 00DB6B3E
                            • GetVersionExA.KERNEL32(?), ref: 00D6E5CD
                            • GetNativeSystemInfo.KERNEL32(?), ref: 00D6E5E7
                            • RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00D6E612
                            • primitives_get.GETSCREEN-156413884-X86 ref: 00D6E6DC
                            • CreateThreadpool.KERNEL32(00000000), ref: 00D6E6E2
                            Strings
                            • Software\FreeRDP\FreeRDP\RemoteFX, xrefs: 00D6E605
                            • com.freerdp.codec.rfx, xrefs: 00D6E530
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CountCreateCriticalInfoInitializeNativeOpenSectionSpinSystemThreadpoolVersionprimitives_get
                            • String ID: Software\FreeRDP\FreeRDP\RemoteFX$com.freerdp.codec.rfx
                            • API String ID: 3882483829-2530424157
                            • Opcode ID: 32f5e091e2b1d32d4fc4213206633ff03a16acd273ed0287aa5cb20d16a4fdae
                            • Instruction ID: 5c4e0ae59249631e6cc24edc33fd482fdee636d76ee8ea35f24eae6d19730bd6
                            • Opcode Fuzzy Hash: 32f5e091e2b1d32d4fc4213206633ff03a16acd273ed0287aa5cb20d16a4fdae
                            • Instruction Fuzzy Hash: 0041AEB5A0070AAFEB109FB5DC86B6AB7F8FF44704F10442DE549A6282EB74D9458F70
                            Function 00DAE437 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB43BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EncryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EncryptMessage
                            • API String ID: 689400697-3976766517
                            • Opcode ID: f369313ce97d77256c537f2cd269f98f8828213c85fe734e9aed2eadb1d5a78d
                            • Instruction ID: b9081319dcaf33b24754beb8ac5c78ab50d4c5ef5aaeac8cc1ecbdc5ad09c99c
                            • Opcode Fuzzy Hash: f369313ce97d77256c537f2cd269f98f8828213c85fe734e9aed2eadb1d5a78d
                            • Instruction Fuzzy Hash: 10114635784305BBEA21AE56EC07F673A5CDB91B60F040054F541A61E2D9A2D921E671
                            Function 00DAE42E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB42FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DecryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DecryptMessage
                            • API String ID: 689400697-3301108232
                            • Opcode ID: 3bd30c57549016c991fe5c43270f22717075e25eed3e706dcfc899111b149208
                            • Instruction ID: dd33cee2726611f6ec9e59f22ed0059c62e60ab8a3d6583eb77e36d44d2969aa
                            • Opcode Fuzzy Hash: 3bd30c57549016c991fe5c43270f22717075e25eed3e706dcfc899111b149208
                            • Instruction Fuzzy Hash: 4011AB357C4305BBEA216A56EC43E6F3FACEB95B60F080054F541A61D2D962DA10E771
                            Function 00D55E14 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • crypto_cert_fingerprint.GETSCREEN-156413884-X86(?), ref: 00D55E1C
                              • Part of subcall function 00D5576E: crypto_cert_fingerprint_by_hash.GETSCREEN-156413884-X86(?,sha256), ref: 00D55779
                            • crypto_cert_issuer.GETSCREEN-156413884-X86(?), ref: 00D55E30
                            • crypto_cert_subject.GETSCREEN-156413884-X86(?,?), ref: 00D55E3A
                            • certificate_data_new.GETSCREEN-156413884-X86(?,?,00000000,00000000,00000000,?,?), ref: 00D55E4A
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: certificate_data_newcrypto_cert_fingerprintcrypto_cert_fingerprint_by_hashcrypto_cert_issuercrypto_cert_subject
                            • String ID:
                            • API String ID: 1865246629-0
                            • Opcode ID: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
                            • Instruction ID: 1c0b49ac72356f5ad9bb6363ab6a0902b68539d48f6c4c0547ab9c3a12defea7
                            • Opcode Fuzzy Hash: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
                            • Instruction Fuzzy Hash: ACE0DF36400608BF8F122F69EC06C9F3EBDDF853E0B084124BC1856129DA31CE1096B0
                            Function 00DFFCA9 Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DFFDC9,00F2C654), ref: 00DFFCAE
                            • UnhandledExceptionFilter.KERNEL32(?,?,00DFFDC9,00F2C654), ref: 00DFFCB7
                            • GetCurrentProcess.KERNEL32(C0000409,?,00DFFDC9,00F2C654), ref: 00DFFCC2
                            • TerminateProcess.KERNEL32(00000000,?,00DFFDC9,00F2C654), ref: 00DFFCC9
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                            • String ID:
                            • API String ID: 3231755760-0
                            • Opcode ID: 016b122b261de21273483e79371318767e93e4d76e6305f054fed9ede04224c6
                            • Instruction ID: a7857dc23f70debcd977cb2c300a531c34c70a76bf39b72adb1ed1a1a4242ea3
                            • Opcode Fuzzy Hash: 016b122b261de21273483e79371318767e93e4d76e6305f054fed9ede04224c6
                            • Instruction Fuzzy Hash: B3D012BA200208AFCB002BE2FD0DB493F2CFB4A61AF050000F31AA20F0CB71440A8B65
                            Function 007B89A0 Relevance: 5.1, Strings: 4, Instructions: 137COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: Genu$OPENSSL_ia32cap$ineI$ntel
                            • API String ID: 0-3767422159
                            • Opcode ID: ae20e81f5512b77e481a2e372628164d7d4438548ba766812f1aba8ba182533d
                            • Instruction ID: de1202f48f8790d414aeeb0ca491e35612ab89476333db9efcefede778ee7140
                            • Opcode Fuzzy Hash: ae20e81f5512b77e481a2e372628164d7d4438548ba766812f1aba8ba182533d
                            • Instruction Fuzzy Hash: AA4126B6F0624D07EF9C867DAC9537E7589FB91364F28423ED926D62C0DE348D408A85
                            Function 00E061B5 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E062AD
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E062B7
                            • UnhandledExceptionFilter.KERNEL32(00D2259A,?,?,?,?,?,00000000), ref: 00E062C4
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 2ccb5e450294c3fe2719864c2c993fac8f5844d992e25ede9c9290fb90015094
                            • Instruction ID: 6a2952a010dd6da13343bb6801a2fa41b5786336413aad5d3db0be1cc73455ad
                            • Opcode Fuzzy Hash: 2ccb5e450294c3fe2719864c2c993fac8f5844d992e25ede9c9290fb90015094
                            • Instruction Fuzzy Hash: 3F31B37490122C9BCB21DF28D88978DBBF8BF08314F5051EAE41CB62A0EB709B858F54
                            Function 00D55B39 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • crypto_cert_subject.GETSCREEN-156413884-X86(?), ref: 00D55B42
                            • crypto_cert_issuer.GETSCREEN-156413884-X86(?,?), ref: 00D55B4C
                            • crypto_cert_fingerprint.GETSCREEN-156413884-X86(?,?,?), ref: 00D55B56
                              • Part of subcall function 00D5576E: crypto_cert_fingerprint_by_hash.GETSCREEN-156413884-X86(?,sha256), ref: 00D55779
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: crypto_cert_fingerprintcrypto_cert_fingerprint_by_hashcrypto_cert_issuercrypto_cert_subject
                            • String ID:
                            • API String ID: 727492566-0
                            • Opcode ID: 2403153368bf5f0852c407299b060d09ba28b0057ab7bad3b343f04c5c55d6c4
                            • Instruction ID: f357fcf4cb418b04d764c3de1ef7c4baeff25b8ba25949f7cb7423e003aecef0
                            • Opcode Fuzzy Hash: 2403153368bf5f0852c407299b060d09ba28b0057ab7bad3b343f04c5c55d6c4
                            • Instruction Fuzzy Hash: 3A118271704B0226EF369676BC2AF2F27DCDF117A1B188415FC00DB18AEA26DD0486B4
                            Function 00D5576E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5COMMON
                            Download Yara Rule
                            APIs
                            • crypto_cert_fingerprint_by_hash.GETSCREEN-156413884-X86(?,sha256), ref: 00D55779
                              • Part of subcall function 00D55782: crypto_cert_hash.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00D5577E,?,sha256), ref: 00D55792
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: crypto_cert_fingerprint_by_hashcrypto_cert_hash
                            • String ID: sha256
                            • API String ID: 2885152359-1556616439
                            • Opcode ID: c1e9b217ca1ffe56e717449f4c2af574b4cc3c33386e733707082b913d5a7de7
                            • Instruction ID: e567db67adf3dbc249e0d7542a6e120bc2eccc011ac05864b18c4408144b3351
                            • Opcode Fuzzy Hash: c1e9b217ca1ffe56e717449f4c2af574b4cc3c33386e733707082b913d5a7de7
                            • Instruction Fuzzy Hash: 21A0223020830CBB8E023B83CC03C0A3E0CCA00B83B0020B8BC0020023CBA2BA0280F2
                            Function 00D63F1C Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                            • crypto_base64_encode.GETSCREEN-156413884-X86(00F4A688,00000000,00000000,00000000,00000000,?,00D55E4F,?,?,00000000,00000000,00000000,?,?), ref: 00D63F7D
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: crypto_base64_encode
                            • String ID:
                            • API String ID: 2528031924-0
                            • Opcode ID: 1fe5a3de59c1c85c98f480b88233d7ac88b521ca3bf8fc4c4f11a835b4a4b415
                            • Instruction ID: 1fcad4f5210f19a334c1a5e72c29a226ad98737459e4eac7e453d7e8899c13a2
                            • Opcode Fuzzy Hash: 1fe5a3de59c1c85c98f480b88233d7ac88b521ca3bf8fc4c4f11a835b4a4b415
                            • Instruction Fuzzy Hash: DD210A32A04B03AFCB30AF69C80285B77E8EF44351B18442DF945A7192EB35D880CF70
                            Function 00D55782 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                            Download Yara Rule
                            APIs
                            • crypto_cert_hash.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00D5577E,?,sha256), ref: 00D55792
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: crypto_cert_hash
                            • String ID:
                            • API String ID: 1547982073-0
                            • Opcode ID: 7460d84a63f73ef57bb7a90a7cbc953c30664581771c6989db31222eff5a1bf8
                            • Instruction ID: ba850467087f0828a334f71c251a8c15d8166dc4bdc3d4065560b9b78e07df4a
                            • Opcode Fuzzy Hash: 7460d84a63f73ef57bb7a90a7cbc953c30664581771c6989db31222eff5a1bf8
                            • Instruction Fuzzy Hash: 2DC048B601010CBFAF06AB85CC86CAA7B6DEA04260B008225BE0445021E6B2BE14AAB0
                            Function 00769700 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: o.u
                            • API String ID: 0-2544032144
                            • Opcode ID: 62ceb7660dc4629b2ac26ecb48289b630fa7e8fd35740ff450311f40593f9d80
                            • Instruction ID: fb4e2034edf3ad5f44a358b093e73398b581b673264e65eb06755873bb9dd17d
                            • Opcode Fuzzy Hash: 62ceb7660dc4629b2ac26ecb48289b630fa7e8fd35740ff450311f40593f9d80
                            • Instruction Fuzzy Hash: 5081E120D18BC587E7128F3CC8426AAF3A4BFD6318F14E719EED466152FB71A6C58781
                            Function 00D55ABB Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 6f2c8adfc3a7746f7bcc21c7e8ebdf9c9b635e5e3cb3ad753f3208d9ff8683b7
                            • Instruction ID: 562affd42bf784ddf98d1be003d6c0b8107474a2717e2619a77246753272dd68
                            • Opcode Fuzzy Hash: 6f2c8adfc3a7746f7bcc21c7e8ebdf9c9b635e5e3cb3ad753f3208d9ff8683b7
                            • Instruction Fuzzy Hash: FEF0BE32210608BAEF229E95EC4AF9B7BACDB407A0F240025FE046A140D6719D0486B1
                            Function 007701A0 Relevance: .3, Instructions: 322COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8843ff878148d9d6b200c78fe77f3a658439cee7fc1cd39c9f06291863b8ff64
                            • Instruction ID: 14db8f50dbe7c54e591788a1c4512dee5504e2f07de67c73789d775a0e45e454
                            • Opcode Fuzzy Hash: 8843ff878148d9d6b200c78fe77f3a658439cee7fc1cd39c9f06291863b8ff64
                            • Instruction Fuzzy Hash: C1E1D369C2DFD946E323573EA80326BE7647FFB284E50EB1BBDD431C21EB6142456209
                            Function 007A6657 Relevance: .2, Instructions: 238COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be81703520fa74d5847a713d340fe6bf848b73201990e2e06a3e8eaca0f20479
                            • Instruction ID: 10fcef939b0b583ff3274529d616bbdf6e9fcf77bc2851a7fe8f36e979aa5c1c
                            • Opcode Fuzzy Hash: be81703520fa74d5847a713d340fe6bf848b73201990e2e06a3e8eaca0f20479
                            • Instruction Fuzzy Hash: 3AA1AD21C19FC586E70B3B35444B265E330AFF3288B54CB06FDA178967EB69B6C85261
                            Function 00D67B3F Relevance: .1, Instructions: 113COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 06cfed2109845416018322ccb59ac96f7411ea8d75f5aac0e58571d0c0e5568b
                            • Instruction ID: 6bd73b07ed0964d515ddbbdade972e58e1512b3ed73cc4faeef96dff51467de9
                            • Opcode Fuzzy Hash: 06cfed2109845416018322ccb59ac96f7411ea8d75f5aac0e58571d0c0e5568b
                            • Instruction Fuzzy Hash: C33133A26083C40ED3198F6C88646747FE59BAA100B0D84DEE9F9CF343E120DA0AD731
                            Function 0078B080 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67c5a5b38ad57acd17395755d6869b213b2472f5960ea1db488aef957251935f
                            • Instruction ID: dd1968abbb16a3c8fff670917b0ab1def610f4478baa494159eae58501fde8a0
                            • Opcode Fuzzy Hash: 67c5a5b38ad57acd17395755d6869b213b2472f5960ea1db488aef957251935f
                            • Instruction Fuzzy Hash: 02512372C20F8286E261AB31CD45793B7E17FE5304F24972EE4DA211A1FBB571E48E85
                            Function 007A7300 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1bd6ee22b8be88284ea3de3379d93d189bee9a2acde73ad58f94725c0800f69d
                            • Instruction ID: 34ebaeb37e2cd86641bcbb81574a1f0103a965a8e8a7a8c53d3871bbde799a2a
                            • Opcode Fuzzy Hash: 1bd6ee22b8be88284ea3de3379d93d189bee9a2acde73ad58f94725c0800f69d
                            • Instruction Fuzzy Hash: 4721A520C1CFC9C5E71B7B388C4B2AAAB506FEB344F51D716F8D839452FB284654E151
                            Function 007AA30D Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
                            • Instruction ID: 3e4aa2ddb2d8e81c8354a7a9abd9c0855dd406e35942f766b766150b3b172115
                            • Opcode Fuzzy Hash: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
                            • Instruction Fuzzy Hash: DD1151D9C2AF7A06E713633B5D42242DA105EF7989550D347FCB439D61F701B5C17210
                            Function 00E32165 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID:
                            • API String ID: 626452242-0
                            • Opcode ID: 4cfa1d1722eb79ed8c6b704e1e76a99dce7f1ad66c420fb1f8b603a864e74dc0
                            • Instruction ID: 970e76ee9d7991c146ac7fef4dd9531e5d4a0652bc87df06ce420964a836ea40
                            • Opcode Fuzzy Hash: 4cfa1d1722eb79ed8c6b704e1e76a99dce7f1ad66c420fb1f8b603a864e74dc0
                            • Instruction Fuzzy Hash: F8011275A0020DAFDB08DFA9DC519FFBBB9EB88720F10812AF515A7291EA705905CB70
                            Function 00D5590A Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b422819db95d3645cbdcc77238595e870197e85cf553f878d55c446da8e9666
                            • Instruction ID: 41505bf8cf5951f31ab428fa2e0f3685ea666266fc7e5b4dbe963e1d5a9e9e38
                            • Opcode Fuzzy Hash: 7b422819db95d3645cbdcc77238595e870197e85cf553f878d55c446da8e9666
                            • Instruction Fuzzy Hash: E6F06272904119AFDF05ABA4DC068BE77A8EF04315F500469FC12A7141EA74D9188A70
                            Function 00D55732 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 911fe133215822d16af9a9dfc112a6ee4ab14ddce8b8a69d0b2a4c7a9a515291
                            • Instruction ID: 842e43f4289518e28d74c16c7e84d4214ffe0bce9b6da920772f168b778eb596
                            • Opcode Fuzzy Hash: 911fe133215822d16af9a9dfc112a6ee4ab14ddce8b8a69d0b2a4c7a9a515291
                            • Instruction Fuzzy Hash: 74E09B32100E19E6CF131E05EC519AB3B55EFC2373F180026FD0467044C731B982CBA5
                            Function 00E32620 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfd3501ae8cc7d54b5b6039e73c4159469e4ee806065cc444d8108c8b9717388
                            • Instruction ID: 419e91bec4c82c99b07cd036027dfda2c2694e7e65ce98a11267ea2dad50fc65
                            • Opcode Fuzzy Hash: cfd3501ae8cc7d54b5b6039e73c4159469e4ee806065cc444d8108c8b9717388
                            • Instruction Fuzzy Hash: 62E08635B122159F8B15CE65D8015AA7BE5BF45704B54A46CDDC5EB300D330EC01CB80
                            Function 00D573E8 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: abef29f18486b8e7023c2129847a18c3c9cea34ce2d28db27c277d5279c50b60
                            • Instruction ID: e2fa7e35269439170c35fce92ff8c28daf2a0b6a6056d6c22f76eefd2463ec57
                            • Opcode Fuzzy Hash: abef29f18486b8e7023c2129847a18c3c9cea34ce2d28db27c277d5279c50b60
                            • Instruction Fuzzy Hash: CDD05E3225420DABEF059EE5FC00DBA3B9DEF44625B0C4498FD2C8A511E636D830A650
                            Function 00D55ED1 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92904718c7774d80baf37b01db223b482aa12a3400e7c889efefc14f73fae5f7
                            • Instruction ID: 5dc183ba330e40957fad80d8a3ad8f84ae50c2ff52a5091aa0c16c402afd12c0
                            • Opcode Fuzzy Hash: 92904718c7774d80baf37b01db223b482aa12a3400e7c889efefc14f73fae5f7
                            • Instruction Fuzzy Hash: EEE0C22A5096A7878721495D60104A7FFA9ADDA695328C5AAEEE45B30A8020EE4543F0
                            Function 00D55DA5 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4a5700dd9c090860e746394635df8148f9f381a8a4f8febb47ad15a4feb3c59
                            • Instruction ID: 23f7aee23fbcb4f2a99abbc545e3f8f4e2f422cb978c3f8ed146012e22aa7ba2
                            • Opcode Fuzzy Hash: b4a5700dd9c090860e746394635df8148f9f381a8a4f8febb47ad15a4feb3c59
                            • Instruction Fuzzy Hash: EAD0123252D93536D92536A9EC07E8B394DCB427B4F150311BC22A51D9E980DE0181E1
                            Function 00D5612F Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 020cacdd8480cb7acb5a33face7ae5f67d8364c27b2bc5f228b0cde8383a0b65
                            • Instruction ID: e3ec27fb53f9a565ed73b66eba37145f76e25e124ccd78da7bb263489c6aba31
                            • Opcode Fuzzy Hash: 020cacdd8480cb7acb5a33face7ae5f67d8364c27b2bc5f228b0cde8383a0b65
                            • Instruction Fuzzy Hash: F7D06C3204460DBBCF022E85AC02DAA3B6AAB08662F448050FF1805522E673D571ABA5
                            Function 00D55D58 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc66a9d30c7db1291679ea8940f3866de8d0a73c04af855de0002ed13e2284d9
                            • Instruction ID: 222b4e2af94bbfea3b511734f8257ca267eae342a6a288dfd215d9dabce14bb7
                            • Opcode Fuzzy Hash: dc66a9d30c7db1291679ea8940f3866de8d0a73c04af855de0002ed13e2284d9
                            • Instruction Fuzzy Hash: 93D02233241A2F76EA2036D4A806FDB7B8CCB00BB6F044012FE0CAE185CD60880603F0
                            Function 00D56105 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a874a97c1a0f1350a0a091136a2aa511b6a6aa38adc0722bbc87292597935bc
                            • Instruction ID: 0e91feeecc876a76e10ec398403ce23e2b5e6ae72c73e115dff9804e3f41164d
                            • Opcode Fuzzy Hash: 0a874a97c1a0f1350a0a091136a2aa511b6a6aa38adc0722bbc87292597935bc
                            • Instruction Fuzzy Hash: 85D0953600420EBB8F026EC5DC02CAA3F6AFF08391F408010FE2001022DA33E931ABE1
                            Function 00D5584E Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c44ae05eeeaf96c3b4c4259dcbd0ced95bce8786c5fb31708b966f3efd20d008
                            • Instruction ID: 91e23dd84f762b46bc56f0ed85777cde0c837a02c25801760fa949f67a84495d
                            • Opcode Fuzzy Hash: c44ae05eeeaf96c3b4c4259dcbd0ced95bce8786c5fb31708b966f3efd20d008
                            • Instruction Fuzzy Hash: C2C0122044421C7AEF00FAE4CC0BDBF7A6CEB00701FC004107D1053042E6B0D51D86B0
                            Function 00D55831 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00697b1b55a066e8f6e82ecc9971366dd5c01e2c0e8b86d5be220022d81dff43
                            • Instruction ID: df2ac6a19e282e52eaa3b77a736fb7e4b4ff410bfa794ca1b51d6b982a88c2cc
                            • Opcode Fuzzy Hash: 00697b1b55a066e8f6e82ecc9971366dd5c01e2c0e8b86d5be220022d81dff43
                            • Instruction Fuzzy Hash: B9C02B32401238E34E113D44E400899BF8C8D00BA230C0021FC083711641136C0003E0
                            Function 00D67B24 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4b7a3ce230df7e31ab3e725e1e43306e95fe06bef9b56ac6c445c84563359095
                            • Instruction ID: 87eb183e67802edc6cde5889e2f8a0c04e705deaea7600a1df51b01cd2a52767
                            • Opcode Fuzzy Hash: 4b7a3ce230df7e31ab3e725e1e43306e95fe06bef9b56ac6c445c84563359095
                            • Instruction Fuzzy Hash: A9C0027114820DABCF029F95EC018993B6AEF45368B004065FD180A221D63399319BA5
                            Function 00D55D82 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f213a4fa0332fa88bc39a926fb07c1300ecb502a4f432fd2e01db9a1bb9e3ce3
                            • Instruction ID: 4e1a5f3b0ea0407e92c410e3ba137f5422deec082eafdb3fdba1cca5fd6c0de2
                            • Opcode Fuzzy Hash: f213a4fa0332fa88bc39a926fb07c1300ecb502a4f432fd2e01db9a1bb9e3ce3
                            • Instruction Fuzzy Hash: AFB0123204C30C7A9D0936E1FC0784A3B8DC9406F07200016FC2D05456AD27F55052FD
                            Function 00D55966 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c058d809a171879c7d2e6b30af2b691a972df3c75a096c5f2351ff0c006427d
                            • Instruction ID: eec5a375ecff08bb143ef01d80de91bbe13dee169b701c37e0d9f64dc46c04d8
                            • Opcode Fuzzy Hash: 5c058d809a171879c7d2e6b30af2b691a972df3c75a096c5f2351ff0c006427d
                            • Instruction Fuzzy Hash: 49B09231004228BB47266A9A8809C8B7FACEB06AA07000000BD09471118A34A901D6EA
                            Function 00D55A65 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a503f68feaf53306e5e090325c103b21fd0aafa9d66652788954b5afafb2aef
                            • Instruction ID: 7e6491405c832f5386b6ee998b355e642099619fb39de2db90d20a66ccfcd324
                            • Opcode Fuzzy Hash: 4a503f68feaf53306e5e090325c103b21fd0aafa9d66652788954b5afafb2aef
                            • Instruction Fuzzy Hash: D9C09B648053489ADA40F7F5850E85F7AEC9F05700F854514AD9157143DA78D548C7B3
                            Function 00D55B24 Relevance: .0, Instructions: 6COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1147995217c392e36dfc48353d2d3a4c789210a0bcddb43d26d5ef8e713f020
                            • Instruction ID: 470d9df7f77793a3b5a0a34ac0147ecc587545c377c8dbc8cf61c4e4b9f18541
                            • Opcode Fuzzy Hash: c1147995217c392e36dfc48353d2d3a4c789210a0bcddb43d26d5ef8e713f020
                            • Instruction Fuzzy Hash: A0A01230000208738D013B61EC0794A394CC9012C170000107C10010168966A55401BC
                            Function 00D55D97 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a308af3d19b287379fcfdac4b35ebea863e8ea0d915d34481b303974fcc68d7
                            • Instruction ID: 2d0fb86a4af904b59551be876cd411544704f85c5edada9b179c57e0cffe5a39
                            • Opcode Fuzzy Hash: 1a308af3d19b287379fcfdac4b35ebea863e8ea0d915d34481b303974fcc68d7
                            • Instruction Fuzzy Hash:
                            Function 00D55A61 Relevance: .0, Instructions: 3COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c1af10e55f65fcf33e1f61e2858dedc3d93677e06f0a9ee18408edf0f16553e
                            • Instruction ID: f9d93bb6050abece768ba640a33519d1f25643404e4c276bdb386cb4d050c773
                            • Opcode Fuzzy Hash: 3c1af10e55f65fcf33e1f61e2858dedc3d93677e06f0a9ee18408edf0f16553e
                            • Instruction Fuzzy Hash:
                            Function 00DA14E3 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 194sleepCOMMON
                            Download Yara Rule
                            APIs
                            • freerdp_error_info.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA1519
                            • freerdp_get_error_info_string.GETSCREEN-156413884-X86(00000000,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA155D
                            • freerdp_reconnect.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA1601
                            • freerdp_get_last_error.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA1611
                            • Sleep.KERNEL32(0000000A,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA167E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Sleepfreerdp_error_infofreerdp_get_error_info_stringfreerdp_get_last_errorfreerdp_reconnect
                            • String ID: Attempting reconnect (%u of %u)$Autoreconnect aborted by user$C:\Project\agent-windows\freerdp\FreeRDP\client\common\client.c$Disconnected by server hitting a bug or resource limit [%s]$Maximum reconnect retries exceeded$Network disconnect!$client_auto_reconnect_ex$com.freerdp.client.common
                            • API String ID: 968149013-2963753137
                            • Opcode ID: 52e07c33af9fc13d6e074c0f836e5f8e7aea98aecd7a1dfff7b1998b3a5752e1
                            • Instruction ID: 1b780f5c1893d4df400537a90cfae4965274cec3d1a900c8f12ba80652d98e88
                            • Opcode Fuzzy Hash: 52e07c33af9fc13d6e074c0f836e5f8e7aea98aecd7a1dfff7b1998b3a5752e1
                            • Instruction Fuzzy Hash: 9751D776B4030577EB257B25EC43F7A27A8DF62B50F1C4029F610FA1D1EA76DA808674
                            Function 00D6A89E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 127COMMON
                            Download Yara Rule
                            APIs
                            • gdi_get_pixel_format.GETSCREEN-156413884-X86(?,?,?,?,?,00D6A899,?,?,00000000,00000000,Function_006DAA7A), ref: 00D6A8B3
                            • gdi_free.GETSCREEN-156413884-X86(?,?,?,?,?,00D6A899,?,?,00000000,00000000,Function_006DAA7A), ref: 00D6AA40
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: gdi_freegdi_get_pixel_format
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\gdi\gdi.c$com.freerdp.gdi$failed to initialize gdi$gdi_init_ex
                            • API String ID: 1251975138-534786182
                            • Opcode ID: 736e6e28bfab0f4d5ff8517606a17aaf4e9ac39a32e281fa7f1c25b6275a8a44
                            • Instruction ID: 048db22db05d0468b72fba943d9835b19abd880d5ce30f0cf61c222ec5a33d59
                            • Opcode Fuzzy Hash: 736e6e28bfab0f4d5ff8517606a17aaf4e9ac39a32e281fa7f1c25b6275a8a44
                            • Instruction Fuzzy Hash: 984172712007026FDB54AF68DC42B6AB7A5FF15310F18442AF598AB192EF71A851CF71
                            Function 00D30E1F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00D30F64
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00D30F79
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID: ,$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load_ex
                            • API String ID: 3168844106-1571615648
                            • Opcode ID: e196fda8aa3df71ec429677dd426a63e709925eb21032b98280bf9f47e7f55da
                            • Instruction ID: 329d81fc3df4a899cedadc6a72d75e6cba0eb4365c05580b2ca61c68765f337e
                            • Opcode Fuzzy Hash: e196fda8aa3df71ec429677dd426a63e709925eb21032b98280bf9f47e7f55da
                            • Instruction Fuzzy Hash: 6741D571B4030AAFDB209F69EC42B597BE8EB09714F144429F654F72D0D7B5A9018BA4
                            Function 00D36AF2 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 449COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_free.GETSCREEN-156413884-X86(00000000), ref: 00D37326
                              • Part of subcall function 00D37F9B: GetComputerNameExA.KERNEL32(00000000,?,?,00000000), ref: 00D37FCC
                              • Part of subcall function 00D37F9B: freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000680,?), ref: 00D37FFC
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(00000000,00000086,?), ref: 00D36D8C
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(00000000,00001446,00000001), ref: 00D37177
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(00000000,00001447,00000003), ref: 00D3718F
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(00000000,00001448,00000005), ref: 00D371A7
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(00000000,00001449,00000002), ref: 00D371BF
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(00000000,0000144A,00002328), ref: 00D371DA
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(00000000,0000144D,00003A98), ref: 00D371F5
                            Strings
                            • C:\Windows\System32\mstscax.dll, xrefs: 00D36F3F
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_uint32$freerdp_settings_set_string$ComputerNamefreerdp_settings_freefreerdp_settings_set_bool
                            • String ID: C:\Windows\System32\mstscax.dll
                            • API String ID: 2536960967-183970058
                            • Opcode ID: a0fcc8c7c1138c1ebde9721e5b4015ea08b20d290a10227be3374d74c5b95e51
                            • Instruction ID: 0b96d550a898f720747fe1bc14c123a67325764ff190d059cf32dcdedd2d57ab
                            • Opcode Fuzzy Hash: a0fcc8c7c1138c1ebde9721e5b4015ea08b20d290a10227be3374d74c5b95e51
                            • Instruction Fuzzy Hash: 0412F9B1A04F009EE324DF39D885B97B7E4FF08311F54492EE5AE87291DBB5A580CB58
                            Function 00DA6C86 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 337COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,?), ref: 00DA6D79
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,00000000), ref: 00DA6E1D
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,00000000), ref: 00DA6F6F
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,00000000), ref: 00DA7044
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_device_collection_add
                            • String ID: drive$parallel$printer$serial$smartcard
                            • API String ID: 2538329621-807955808
                            • Opcode ID: 3c7d77665c20f1ca863a836b189f594689807942b2e15851ff90dcb0ac55d62c
                            • Instruction ID: 4fdefb2aadd57d8e8ca45f8235a31c89f0d83400624acd8d5ba121443c7c77a2
                            • Opcode Fuzzy Hash: 3c7d77665c20f1ca863a836b189f594689807942b2e15851ff90dcb0ac55d62c
                            • Instruction Fuzzy Hash: 2DB1A036608602DBDF15AF18D84199E7BE1FF46350B188069F804AF292EF72DD919FA4
                            Function 00D30C4D Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 145COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00D30D92
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00D30DB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load
                            • API String ID: 3168844106-4217659166
                            • Opcode ID: 51e591a06f08c591435b422d6e952d2ddc77b0e0d15d6984e73f578023353a9d
                            • Instruction ID: d2acf971fe50968f178ca803bba6dce10a18dfd0ca66655c62a2c63ab1213201
                            • Opcode Fuzzy Hash: 51e591a06f08c591435b422d6e952d2ddc77b0e0d15d6984e73f578023353a9d
                            • Instruction Fuzzy Hash: E751AF71A40305AFEB24DF65EC46B5A7BA8EB05714F144029F644BB2D1EBB4A900CB64
                            Function 00E358B8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_get_tag_string.GETSCREEN-156413884-X86(00000000,?,?,00E35425,?,?,?,?,00000000,?), ref: 00E358FA
                            • audio_format_get_tag_string.GETSCREEN-156413884-X86(00000001,00000000,?,?,00E35425,?,?,?,?,00000000,?), ref: 00E35902
                            • audio_format_compatible.GETSCREEN-156413884-X86(%T,?,?,?,?,00E35425,?,?,?,?,00000000,?), ref: 00E3594D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: audio_format_get_tag_string$audio_format_compatible
                            • String ID: %T$%s requires %s for sample input, got %s$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\dsp.c$Missing resample support, recompile -DWITH_SOXR=ON or -DWITH_DSP_FFMPEG=ON$com.freerdp.dsp$freerdp_dsp_resample
                            • API String ID: 204136587-1473788660
                            • Opcode ID: 29c281bf8f68dacc1c6ecbc63b5716983a06f941abb9707eafc645fe31ac66ec
                            • Instruction ID: 1798c5e9b03cc595c653d2a1446ba90b8626bdce48c38534dee020eb9ed1cae7
                            • Opcode Fuzzy Hash: 29c281bf8f68dacc1c6ecbc63b5716983a06f941abb9707eafc645fe31ac66ec
                            • Instruction Fuzzy Hash: 8521AAB27443016AE7245B64AC47F6B3BDCDB5173CF10141AFA54FA1C1EDA1E840D67A
                            Function 00E33B76 Relevance: 15.1, APIs: 10, Instructions: 134COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,00000400,00000001), ref: 00E33B87
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000401,00000000), ref: 00E33BB7
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000404,?), ref: 00E33BDB
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000402,00000000), ref: 00E33BFA
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000014,?), ref: 00E33C12
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,000006C1,?), ref: 00E33C2B
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000403,?), ref: 00E33C44
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000015,00000000), ref: 00E33C60
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(?,00000013,?), ref: 00E33C82
                            • freerdp_target_net_addresses_free.GETSCREEN-156413884-X86(?), ref: 00E33C93
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_string$freerdp_settings_set_boolfreerdp_settings_set_uint32freerdp_target_net_addresses_free
                            • String ID:
                            • API String ID: 949014189-0
                            • Opcode ID: 6cef6dd10707ff90aaa457e2c58685527288738f0f1d639d76a365eb69d9ad72
                            • Instruction ID: 3cc2f8fa1af4a78d03d4e5adae9df05d7f39a7578fcc74f9f9acc278b3b8a316
                            • Opcode Fuzzy Hash: 6cef6dd10707ff90aaa457e2c58685527288738f0f1d639d76a365eb69d9ad72
                            • Instruction Fuzzy Hash: C841D971600A06BBE7315F34EC4EF9A7B94FF04308F441024FA05E6591E776EA60CBA4
                            Function 00DE1612 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 220COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB5CD5: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,?,00DE1701,00000001), ref: 00DB5CF9
                            • zgfx_context_new.GETSCREEN-156413884-X86(00000000), ref: 00DE1874
                              • Part of subcall function 00E3693A: zgfx_context_reset.GETSCREEN-156413884-X86(00000000,00000000,00000000,?,00DE1879,00000000), ref: 00E36964
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpinzgfx_context_newzgfx_context_reset
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\channels\rdpgfx\client\rdpgfx_main.c$Failed to acquire reference to WLog %s$HashTable_New failed!$calloc failed!$com.freerdp.channels.rdpgfx.client$rdpgfx_client_context_new$zgfx_context_new failed!
                            • API String ID: 3732774510-3243565116
                            • Opcode ID: e74ce8ee631442bdc1fbf04b03170d64e4ef0986876eec0aec06964121f56f51
                            • Instruction ID: a7884d76c1402203b4a71a9339bf000f96533329993c787448c501b47fe49e02
                            • Opcode Fuzzy Hash: e74ce8ee631442bdc1fbf04b03170d64e4ef0986876eec0aec06964121f56f51
                            • Instruction Fuzzy Hash: 29711974784742BAD320AF26AC46B5677D8FB15B64F140129F544EB6C1DBB4E840CBB4
                            Function 00DAE889 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00DAE8B2
                            • GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00DAE8D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: %s environment variable modified in my back$BINARY$CONSOLE$FILE$UDP$WLOG_APPENDER
                            • API String ID: 1431749950-225596728
                            • Opcode ID: 26dffbe6dfdadfba69782d2fe792a3301b81378424556aa33b7939396d17bdc5
                            • Instruction ID: ee82b75be1a7cbf690fccbfebfb7c04767cf7637468d7e82a100162d7369ee3d
                            • Opcode Fuzzy Hash: 26dffbe6dfdadfba69782d2fe792a3301b81378424556aa33b7939396d17bdc5
                            • Instruction Fuzzy Hash: D521A13734835629E6647366AC8BE3B1B99CB93B74724043AF405F50C2EE55C891EDB2
                            Function 00D23971 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,?,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000015B), ref: 00D348D9
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,00000000,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000016A), ref: 00D3498F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_set_last_error_ex
                            • String ID: %s missing context=%p$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c$ErrorInfo$com.freerdp.core.rdp$freerdp$rdp_set_error_info
                            • API String ID: 270715978-29603548
                            • Opcode ID: 6805e0f0f859e76f837a4a9d0c547b024f1cb982e7fd7b7dafe110a540c0051d
                            • Instruction ID: d3638f7f4958cd93d300bb98f490a1a99c7581fee34172c24aa3615508b6c4d9
                            • Opcode Fuzzy Hash: 6805e0f0f859e76f837a4a9d0c547b024f1cb982e7fd7b7dafe110a540c0051d
                            • Instruction Fuzzy Hash: D8210B72A40305BADB106F55DC03FAB7B6CDB51B14F184169FA047A2C5E6F8A640CEB5
                            Function 00DB4B0C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(secur32.dll,?,00DB4AEC), ref: 00DB4B18
                            • LoadLibraryA.KERNEL32(security.dll,?,00DB4AEC), ref: 00DB4B28
                            • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceW), ref: 00DB4B42
                            • GetProcAddress.KERNEL32(InitSecurityInterfaceA), ref: 00DB4B51
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: InitSecurityInterfaceA$InitSecurityInterfaceW$secur32.dll$security.dll
                            • API String ID: 2574300362-4081094439
                            • Opcode ID: 6dc9c195ef71b49740e96efa3b3d7dac41623b4274284e34f788f6e9c7118604
                            • Instruction ID: c6c5fb9d0c236541ea0d90f628031eaa7f36e9349fb369af3d771d2e5b6abcc1
                            • Opcode Fuzzy Hash: 6dc9c195ef71b49740e96efa3b3d7dac41623b4274284e34f788f6e9c7118604
                            • Instruction Fuzzy Hash: 9AF08976D54326D69732EBBABC00D967AE8AB84B543090263E940E3154E6B5D8019FB1
                            Function 00D642E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 181fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00D64320
                            • GetFileSize.KERNEL32(00000000,?), ref: 00D6433A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: File$CreateSize
                            • String ID: %s %hu %s %s %s
                            • API String ID: 2791376181-2916857029
                            • Opcode ID: 6f5cbd4aeb870431c3efe7dd1a35d044482453006dc06590acbc4c4f4c1987c0
                            • Instruction ID: 237e39134405a733fd206d3881dc8a96382620f8a7c352e027a9d41c61ed9067
                            • Opcode Fuzzy Hash: 6f5cbd4aeb870431c3efe7dd1a35d044482453006dc06590acbc4c4f4c1987c0
                            • Instruction Fuzzy Hash: 54514FB5A00215AFEB11ABB5EC45ABF77FCEF05720B14412AF911F6290EB3499408B74
                            Function 00D4501B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                            • ber_read_universal_tag.GETSCREEN-156413884-X86(?,00000002,00000000), ref: 00D4502A
                            • ber_read_length.GETSCREEN-156413884-X86(?,?), ref: 00D4503F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ber_read_lengthber_read_universal_tag
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\crypto\ber.c$ber_read_integer$com.freerdp.crypto$should implement reading an 8 bytes integer$should implement reading an integer with length=%d
                            • API String ID: 3186670568-2454464461
                            • Opcode ID: ba375764ba7af731fbd1cde8059592c2cac3e763f6c2fd08624046a6823b2fc2
                            • Instruction ID: 4e51c84c7c1c4a5764acaec974826a5cb9dc166e84ddfb10d4ec214304261f3c
                            • Opcode Fuzzy Hash: ba375764ba7af731fbd1cde8059592c2cac3e763f6c2fd08624046a6823b2fc2
                            • Instruction Fuzzy Hash: 354147B1704B426BDB208F25EC82B2A37E5EB52720F184169F5999B2CFE675D900CB70
                            Function 00D89C5D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109COMMON
                            Download Yara Rule
                            APIs
                            • region16_rects.GETSCREEN-156413884-X86(?,?), ref: 00D89C6E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: region16_rects
                            • String ID: (%hu,%hu-%hu,%hu)$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\region.c$band %d: $com.freerdp.codec$nrects=%u$region16_print
                            • API String ID: 844131241-2640574824
                            • Opcode ID: a0621893c0bcdac7eb9a1e157bffbd7a1cc333f7abe26ecca077089619322ab3
                            • Instruction ID: d14cf10fe670c30fddff6f47bd896c1f8f0084ad19bf62500fb6d94763b53b0e
                            • Opcode Fuzzy Hash: a0621893c0bcdac7eb9a1e157bffbd7a1cc333f7abe26ecca077089619322ab3
                            • Instruction Fuzzy Hash: A231A472780306B9E6306B65AC53F76B3D8DB56B11F181015FA94F62D0FA97A9808374
                            Function 00D22BCF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D22C14
                            • clearChannelError.GETSCREEN-156413884-X86(?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D22C1B
                              • Part of subcall function 00D226E1: ResetEvent.KERNEL32(?), ref: 00D2270A
                              • Part of subcall function 00D38142: ResetEvent.KERNEL32(?,?,00D22C27,?,?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D3814E
                            Strings
                            • freerdp, xrefs: 00D23062
                            • ConnectionResult, xrefs: 00D23077
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00D22BFC
                            • freerdp_connect, xrefs: 00D22C01
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EventReset$ChannelErrorclearfreerdp_set_last_error_ex
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$ConnectionResult$freerdp$freerdp_connect
                            • API String ID: 3632380314-3564821047
                            • Opcode ID: a578b5f886a1ba92aa63df4fb30f24e917e37c5d5805c9d18a9d5dfe7f20543f
                            • Instruction ID: 47f9ff579d0f6bd4f8c6551b647dceb0c06b388598284b870d4b857142b52a35
                            • Opcode Fuzzy Hash: a578b5f886a1ba92aa63df4fb30f24e917e37c5d5805c9d18a9d5dfe7f20543f
                            • Instruction Fuzzy Hash: 79317E71600215AFEB10DF69E985BAAB7F4FF18304F180079F914E7291DB759A548B70
                            Function 00D453FD Relevance: 12.1, APIs: 8, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • ber_write_universal_tag.GETSCREEN-156413884-X86(?,00000002,00000000), ref: 00D45415
                            • ber_write_length.GETSCREEN-156413884-X86(?,00000001,?,00000002,00000000), ref: 00D4541D
                            • ber_write_universal_tag.GETSCREEN-156413884-X86(?,00000002,00000000), ref: 00D45440
                            • ber_write_length.GETSCREEN-156413884-X86(?,00000002,?,00000002,00000000), ref: 00D45448
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ber_write_lengthber_write_universal_tag
                            • String ID:
                            • API String ID: 1889070510-0
                            • Opcode ID: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
                            • Instruction ID: 2370a199a7cdf897bc0aefee0484073bb4ceb46cef0d095266aff33809bbaf7c
                            • Opcode Fuzzy Hash: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
                            • Instruction Fuzzy Hash: 1F21D731205F44EFDB125B08ED42B6A77A5EF11B01F058459FA8E1FA87C265AE41CBB1
                            Function 00D4CB5F Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • glyph_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CB79
                            • brush_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CB86
                            • pointer_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CB94
                            • bitmap_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBA2
                            • offscreen_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBB0
                            • palette_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBBE
                            • nine_grid_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBCC
                            • cache_free.GETSCREEN-156413884-X86(00000000), ref: 00D4CBDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: bitmap_cache_newbrush_cache_newcache_freeglyph_cache_newnine_grid_cache_newoffscreen_cache_newpalette_cache_newpointer_cache_new
                            • String ID:
                            • API String ID: 2332728789-0
                            • Opcode ID: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
                            • Instruction ID: fff0f8e958aee5268df8f76507cf07d66487e8d42236f9fcc16d47005cc25ea2
                            • Opcode Fuzzy Hash: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
                            • Instruction Fuzzy Hash: E501803625AB075BE364AEB6A853D3B67E8CF42B70718543FE480E6981FF24D40186B1
                            Function 00D6EFD0 Relevance: 10.7, APIs: 7, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            • region16_init.GETSCREEN-156413884-X86(?), ref: 00D6F58A
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: region16_init
                            • String ID:
                            • API String ID: 4140821900-0
                            • Opcode ID: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
                            • Instruction ID: 305966164178dc0f8d3ba639d6ef2abdbb41c12daa4f928cff9ce80e3619b53f
                            • Opcode Fuzzy Hash: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
                            • Instruction Fuzzy Hash: A8517CB2D00219ABDF18EFA9D8819EEBBF9FF48304F14412AF559E7240E7359941CB60
                            Function 00D6AA9A Relevance: 10.6, APIs: 7, Instructions: 147windowCOMMON
                            Download Yara Rule
                            APIs
                            • gdi_CreateCompatibleDC.GETSCREEN-156413884-X86(?,00000000,?,?,?,00D6A9C7,00000000,?,?,?,?,?,?,?,?,00D6A899), ref: 00D6AAE7
                            • gdi_CreateCompatibleBitmap.GETSCREEN-156413884-X86(?,?,?,00000000,?,?,?,00D6A9C7,00000000,?,?,?,?), ref: 00D6AB0E
                            • gdi_CreateBitmapEx.GETSCREEN-156413884-X86(?,?,?,?,?,?,00000000,?,?,?,00D6A9C7,00000000,?,?,?,?), ref: 00D6AB2A
                            • gdi_SelectObject.GETSCREEN-156413884-X86(?,?), ref: 00D6AB60
                            • gdi_CreateRectRgn.GETSCREEN-156413884-X86(00000000,00000000,00000000,00000000), ref: 00D6ABA5
                            • gdi_DeleteObject.GETSCREEN-156413884-X86(?), ref: 00D6AC39
                            • gdi_DeleteDC.GETSCREEN-156413884-X86(?), ref: 00D6AC48
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: gdi_$Create$BitmapCompatibleDeleteObject$RectSelect
                            • String ID:
                            • API String ID: 412453062-0
                            • Opcode ID: 465b4ffd023e57f5a0c4565455c46a70f3e764856c2752f7a876167ddfb1c273
                            • Instruction ID: fdf687e987cde5e3a753ed0a5395322451627d44377fe6879c6aa63682e1b8c5
                            • Opcode Fuzzy Hash: 465b4ffd023e57f5a0c4565455c46a70f3e764856c2752f7a876167ddfb1c273
                            • Instruction Fuzzy Hash: 3B5106792007059FC725DF28C885EA6B7E1FF1C310B0945AEE98A8B762E771E841CF60
                            Function 00DBEA62 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,00000000,00000000,?,?,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?), ref: 00DBEABD
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,?,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?,?,00000000), ref: 00DBEAE7
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,00000000,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?,?,00000000), ref: 00DBEB14
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,?,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?,?,00000000), ref: 00DBEB37
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WLOG_FILEAPPENDER_OUTPUT_FILE_NAME$WLOG_FILEAPPENDER_OUTPUT_FILE_PATH
                            • API String ID: 1431749950-2760771567
                            • Opcode ID: f786b4220e39eae0ed1bd492793fe623fc85827ccd2ffc167ce030539d8f9d69
                            • Instruction ID: 90133b353b5cf1063962a4ace7bdf70f69dd8727c235b759bd6964edd19ed087
                            • Opcode Fuzzy Hash: f786b4220e39eae0ed1bd492793fe623fc85827ccd2ffc167ce030539d8f9d69
                            • Instruction Fuzzy Hash: 5031D1B6A00A16FF87146FA69849DEFBFA8FF407643140018F403A3681DB709C519AF9
                            Function 007A8EE0 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(00FE1278,Function_00068C90,007A8EC0,00000000), ref: 007A8F0A
                            • GetLastError.KERNEL32 ref: 007A8F38
                            • TlsGetValue.KERNEL32 ref: 007A8F46
                            • SetLastError.KERNEL32(00000000), ref: 007A8F4F
                            • RtlAcquireSRWLockExclusive.NTDLL(00FE1284), ref: 007A8F61
                            • RtlReleaseSRWLockExclusive.NTDLL(00FE1284), ref: 007A8F73
                            • TlsSetValue.KERNEL32(00000000,?,?,00000000,0078B080), ref: 007A8FB5
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
                            • String ID:
                            • API String ID: 389898287-0
                            • Opcode ID: 5f7dcc49219c69d28eea3b8000ec592fb93b2040093f6ef70ce72008527faa41
                            • Instruction ID: e2a4279d735c18e1b95dfaebc6676b0b4821ef0f2c36977a78e068d3e474efea
                            • Opcode Fuzzy Hash: 5f7dcc49219c69d28eea3b8000ec592fb93b2040093f6ef70ce72008527faa41
                            • Instruction Fuzzy Hash: 3C21F6B570020AAFD7405FA6EC49BAE3BA5FB47701F000120FE15E62D0EB759919DBA2
                            Function 00DBF61C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(00000002,00000002,00000011), ref: 00DBF673
                            • GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00DB6921,?,?,?,?,00DB6A0A,?,?,00000000,?,00DAE976,00000000), ref: 00DBF68A
                            • GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00DB6921,?,?,?,?,00DB6A0A,?,?,00000000,?,00DAE976,00000000), ref: 00DBF6AB
                            • closesocket.WS2_32(?), ref: 00DBF6E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable$closesocketsocket
                            • String ID: 127.0.0.1:20000$WLOG_UDP_TARGET
                            • API String ID: 65193492-3368084233
                            • Opcode ID: 39a73ad04d4e58b3067d844af0e14279af8c0cb32794676c61b92ce4e9d99c25
                            • Instruction ID: ce4c73165f8e39fe9115eda3647c98a578ad6a325e3d0917779317582e933391
                            • Opcode Fuzzy Hash: 39a73ad04d4e58b3067d844af0e14279af8c0cb32794676c61b92ce4e9d99c25
                            • Instruction Fuzzy Hash: 97219F76644B02EFD3305F669C09B977BE4EF41714F24042DF543AAAE1DBB1E4418B64
                            Function 00DC001B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(winsta.dll,?,00DB78D9,01067120), ref: 00DC0023
                            • GetProcAddress.KERNEL32(00000000,WinStationVirtualOpen), ref: 00DC003C
                            • GetProcAddress.KERNEL32(WinStationVirtualOpenEx), ref: 00DC0052
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WinStationVirtualOpen$WinStationVirtualOpenEx$winsta.dll
                            • API String ID: 2238633743-2382846951
                            • Opcode ID: bca72f749f963809c03aaa0275ada407960eddc3121bd1f100a8fb5f62a59976
                            • Instruction ID: a8fd1ac4370bff82f7a7cb31ba5c699696b6b56c3ffe79f8a697d2f120e9f33e
                            • Opcode Fuzzy Hash: bca72f749f963809c03aaa0275ada407960eddc3121bd1f100a8fb5f62a59976
                            • Instruction Fuzzy Hash: 770125B0A41742CFD7009FB1A80DF623EE4BB05794F0A40BDE489EB362DBB58044AF64
                            Function 00D4CB11 Relevance: 10.5, APIs: 7, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • glyph_cache_free.GETSCREEN-156413884-X86(?), ref: 00D4CB1E
                            • brush_cache_free.GETSCREEN-156413884-X86(?,?), ref: 00D4CB26
                            • pointer_cache_free.GETSCREEN-156413884-X86(?,?,?), ref: 00D4CB2E
                            • bitmap_cache_free.GETSCREEN-156413884-X86(?,?,?,?), ref: 00D4CB36
                            • offscreen_cache_free.GETSCREEN-156413884-X86(?,?,?,?,?), ref: 00D4CB3E
                            • palette_cache_free.GETSCREEN-156413884-X86(?,?,?,?,?,?), ref: 00D4CB46
                            • nine_grid_cache_free.GETSCREEN-156413884-X86(?,?,?,?,?,?,?), ref: 00D4CB4E
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: bitmap_cache_freebrush_cache_freeglyph_cache_freenine_grid_cache_freeoffscreen_cache_freepalette_cache_freepointer_cache_free
                            • String ID:
                            • API String ID: 637575458-0
                            • Opcode ID: 2a12e379a9b476aac062f53d4a627af9393f4fd168afc1b96a522a904cabb56b
                            • Instruction ID: 7d2ad1be38f40f5d9100628832ae03b041193a76f72864a167362ba3ee387bbb
                            • Opcode Fuzzy Hash: 2a12e379a9b476aac062f53d4a627af9393f4fd168afc1b96a522a904cabb56b
                            • Instruction Fuzzy Hash: 71E01231411A14ABCA323F61DC03C5ABBAAEF117617445929F49625473CB22AC60AEB5
                            Function 00D8DFDE Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            • gdi_CRgnToRect.GETSCREEN-156413884-X86(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D8E040
                            • gdi_RgnToRect.GETSCREEN-156413884-X86(?,?,?,?,?), ref: 00D8E04F
                            • gdi_CRgnToRect.GETSCREEN-156413884-X86(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00D8E062
                            • gdi_RgnToRect.GETSCREEN-156413884-X86(?,?,?,?,?), ref: 00D8E0A3
                            • gdi_CRgnToRect.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,?,?), ref: 00D8E0C8
                            • gdi_RectToCRgn.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D8E147
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Rectgdi_
                            • String ID:
                            • API String ID: 2404991910-0
                            • Opcode ID: 3d67676e60336d8243c1b5285746560daf0f8b90a72871facbe574aa155c2f1d
                            • Instruction ID: 59c4b9f716e6fafceaa9a279b9c9673c2ddaf35ae519084c4ba5e651d87cacde
                            • Opcode Fuzzy Hash: 3d67676e60336d8243c1b5285746560daf0f8b90a72871facbe574aa155c2f1d
                            • Instruction Fuzzy Hash: 0C51C072E01219EFCF14EF99C8858EEBBB9FF48710B14842AE515A7250D771AA41CFB0
                            Function 00D61D8F Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(?,000007C0,?), ref: 00D61DA2
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C8,00000001), ref: 00D61DCC
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C8,00000000), ref: 00D61DE8
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C9,00000000), ref: 00D61DFC
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C8,00000000), ref: 00D61E19
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C9,00000000), ref: 00D61E2D
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_bool$freerdp_settings_set_uint32
                            • String ID:
                            • API String ID: 4272850885-0
                            • Opcode ID: fad6795779e0600882673a89c48fb156f3d83e8e8ab2019e83a44d2ff3258703
                            • Instruction ID: feb49c3982a8684006756a8fdfe54064ca500717821cece9542d44e8f719cad9
                            • Opcode Fuzzy Hash: fad6795779e0600882673a89c48fb156f3d83e8e8ab2019e83a44d2ff3258703
                            • Instruction Fuzzy Hash: 7A11D66EF8920277F96020654C82F6F129C8F62B59F5C0025FE08E51C3EA96EE0088F6
                            Function 00D88AF6 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_image_copy.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,08008000,00000000,00000000,00000000,?,00000001,?,?), ref: 00D88C2B
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00D88DBF
                            • freerdp_image_copy_from_icon_data, xrefs: 00D88DBA
                            • 1bpp and 4bpp icons are not supported, xrefs: 00D88DB5
                            • com.freerdp.color, xrefs: 00D88D98
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_image_copy
                            • String ID: 1bpp and 4bpp icons are not supported$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$com.freerdp.color$freerdp_image_copy_from_icon_data
                            • API String ID: 1523062921-332027372
                            • Opcode ID: 180bafbf75882e55464d0ec9705d59608dc54d08cf93fc5971317ff467151dff
                            • Instruction ID: 34ea53ca85ac2f1719ac225b7316df33585b6dcfc5fcce39badb4d22dfae884b
                            • Opcode Fuzzy Hash: 180bafbf75882e55464d0ec9705d59608dc54d08cf93fc5971317ff467151dff
                            • Instruction Fuzzy Hash: 0851B5B1A0021DAEDF24AF15CD41BFA77A8EF14300F4881A9FE14A2191D7719E81DF74
                            Function 00DA8423 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: kbd-lang-list$kbd-list$monitor-list
                            • API String ID: 0-1393584692
                            • Opcode ID: fe51db516223de5ca331d88248ae5dc69143970dd8df4d27b1a39c4cb4a0fa66
                            • Instruction ID: 6e075998fd72a7b786a2918271cbd35609f93a4e6f0503c882ee7d8e1406be28
                            • Opcode Fuzzy Hash: fe51db516223de5ca331d88248ae5dc69143970dd8df4d27b1a39c4cb4a0fa66
                            • Instruction Fuzzy Hash: 9431A732901218ABDB20EB68DD46DDBB7ECEB05310F0841A5FD18A71D2DA70DE40EAF1
                            Function 00D79962 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON
                            Download Yara Rule
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c, xrefs: 00D79AFA
                            • com.freerdp.codec, xrefs: 00D79AD0
                            • interleaved_compress: width (%u) or height (%u) is greater than 64, xrefs: 00D79AF0
                            • interleaved_compress, xrefs: 00D79AF5
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c$com.freerdp.codec$interleaved_compress$interleaved_compress: width (%u) or height (%u) is greater than 64
                            • API String ID: 0-4054760794
                            • Opcode ID: d85437afc43ce44ab5132420aab3533f95c215e4be3900ba6292be4bf386adf8
                            • Instruction ID: b9cf6b2ac3b1e1ba26c8d4c733676cf33304a4dcd19a13ac3aa60de0457c31dc
                            • Opcode Fuzzy Hash: d85437afc43ce44ab5132420aab3533f95c215e4be3900ba6292be4bf386adf8
                            • Instruction Fuzzy Hash: E521C273341209BFEF255E56DC96FAB7B68EB05754F088119FA08661A0F672EC50CB70
                            Function 00DAE492 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3CC8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextW
                            • API String ID: 689400697-743139187
                            • Opcode ID: b3b805675f9222908816f167d5fb7b1162adb8a8f0cdaea20a55787a871de2c8
                            • Instruction ID: c61b74a6778c36063c0bb2a1ffa8d1edb47d65641b055684fbe2395195ff3fc3
                            • Opcode Fuzzy Hash: b3b805675f9222908816f167d5fb7b1162adb8a8f0cdaea20a55787a871de2c8
                            • Instruction Fuzzy Hash: C221A536280244FBEF225E96DC02EEB3F69EB55B54F040154FA04660E1DA62DA60FBB1
                            Function 00DAE489 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3DA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextA
                            • API String ID: 689400697-1744466472
                            • Opcode ID: 2eea3a3e51f6079cc079a12b7f81ffe647e431201094f2e9324180b18d59b907
                            • Instruction ID: 0db3efcb9d8d3e86031f11ffc3e329e15d9f953f7646301bfee65671ced8692d
                            • Opcode Fuzzy Hash: 2eea3a3e51f6079cc079a12b7f81ffe647e431201094f2e9324180b18d59b907
                            • Instruction Fuzzy Hash: C421C336240204FBEF225E96EC02EEB3F69EB45B54F040154FA44650E1D672DA21FB70
                            Function 00DAE413 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3227
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcquireCredentialsHandleW: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleW
                            • API String ID: 689400697-2657764935
                            • Opcode ID: 3608575d8dcd4481cd5f3055395dec5de9a26248fa144b46edfc1a51ccdbaf8e
                            • Instruction ID: fdcda2abf87abb33374589a7c2a86917b64a7dd425e847e6d722d69d0728af92
                            • Opcode Fuzzy Hash: 3608575d8dcd4481cd5f3055395dec5de9a26248fa144b46edfc1a51ccdbaf8e
                            • Instruction Fuzzy Hash: 3A11E432684305FBEF221E56EC07EAB3B69EB55B14F040094FA01A50E1D572DA20F7B5
                            Function 00DAE40A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB32F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcquireCredentialsHandleA: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleA
                            • API String ID: 689400697-1172745827
                            • Opcode ID: ee8330f766247ef7580ab77b56b9b2ac2045816d24b17fa03d64e72467238a28
                            • Instruction ID: 10bf43b068e49bd497b97c3fcc99fe516e99f4f27280dc1cfd64e8af1dd408c8
                            • Opcode Fuzzy Hash: ee8330f766247ef7580ab77b56b9b2ac2045816d24b17fa03d64e72467238a28
                            • Instruction Fuzzy Hash: 3611A536344205FBEF222E569C06EAB3FA9EB45B54F040054FA04651E1DA62D920F7B1
                            Function 00DAE401 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB384E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcceptSecurityContext: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcceptSecurityContext
                            • API String ID: 689400697-2008077614
                            • Opcode ID: ccefbb1fe2f2e385423ef8aa5d2334f9ed660c910b16205ec69a1fc16b740488
                            • Instruction ID: 99fe409885ad976f5129006e109f3b164fdba013604cc5fdb1efff9062ed6bc5
                            • Opcode Fuzzy Hash: ccefbb1fe2f2e385423ef8aa5d2334f9ed660c910b16205ec69a1fc16b740488
                            • Instruction Fuzzy Hash: 6311D636240204FBEF225E56EC07EAB3F69EB55B54F040055FA00A51E1D966CA21FBB1
                            Function 00DAE4FE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB4544
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$VerifySignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_VerifySignature
                            • API String ID: 689400697-1495805676
                            • Opcode ID: 307cbb9edf8a4ebff92783441eab19cdcaf0d103a63b8c2a8886c8410c94a2fc
                            • Instruction ID: 98b3351dc559f1c5d86aee85d2f7a1c82c6d7f02ad04834b08163a97289a2162
                            • Opcode Fuzzy Hash: 307cbb9edf8a4ebff92783441eab19cdcaf0d103a63b8c2a8886c8410c94a2fc
                            • Instruction Fuzzy Hash: CC11E775384704BBEA31AA56EC07FA73BACDB51B50F040054FA01A61E2D9A2CD10E775
                            Function 00DAE4F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB40BB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesW
                            • API String ID: 689400697-247170817
                            • Opcode ID: 8fbfbfd4e0a825d081d4a12aba37a5dfaa4f6f380db60e38efc816a182c25d0a
                            • Instruction ID: cb79550c6f617bfaa4b7ce11790babc97080b350c82d278fcca72b1439d18cd1
                            • Opcode Fuzzy Hash: 8fbfbfd4e0a825d081d4a12aba37a5dfaa4f6f380db60e38efc816a182c25d0a
                            • Instruction Fuzzy Hash: 98110A36784305FBEA22AA5AEC03EAB3F6CEB91B60F044054F941A60D2D966CD50E771
                            Function 00DAE4EC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB417E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesA
                            • API String ID: 689400697-1164902870
                            • Opcode ID: bea88b7b22939bf934497e077808359eb8e6a2e0534cb70cd60e5d03e430364e
                            • Instruction ID: a8904db56472dead351d7abe508bd6a5f4a1bfb2fc1115e403d61f3f2f8bcc4f
                            • Opcode Fuzzy Hash: bea88b7b22939bf934497e077808359eb8e6a2e0534cb70cd60e5d03e430364e
                            • Instruction Fuzzy Hash: 32110D39784305FBEA31AA56EC03E673F6CDB51B60F040054F901A50D3D962CA50E771
                            Function 00DAE49B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB4481
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$MakeSignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_MakeSignature
                            • API String ID: 689400697-3834539683
                            • Opcode ID: 8fff4197dd1dac2a00c8d5ad8cbb4b930f8cb7b9d9af8445e52f2d71828b2080
                            • Instruction ID: 9c96ad772089bde2f9169dc48410110a3975094eacd190773c5293c4526f8a76
                            • Opcode Fuzzy Hash: 8fff4197dd1dac2a00c8d5ad8cbb4b930f8cb7b9d9af8445e52f2d71828b2080
                            • Instruction Fuzzy Hash: F111E775380304FBEA316A56AC03FAB3B6CDB81B60F044054FA01A65E3D9A2CD20E771
                            Function 00DAE452 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB33CB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ExportSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ExportSecurityContext
                            • API String ID: 689400697-3640258815
                            • Opcode ID: 080f00bc6b52f8b4c90e95ccc08b55ec7e2501dc662a57880aaafce68d5d65f2
                            • Instruction ID: 4f57cd32bab2273443919f188ac44c2e473d00e22c2901cb0347818e3de2850a
                            • Opcode Fuzzy Hash: 080f00bc6b52f8b4c90e95ccc08b55ec7e2501dc662a57880aaafce68d5d65f2
                            • Instruction Fuzzy Hash: 4111E735384304FAEB221A56EC07FA73B6CEB91B54F040064FA41A70E1D962DA10F771
                            Function 00DAE476 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3548
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextW
                            • API String ID: 689400697-3257054040
                            • Opcode ID: deb4a1c2086ca34d2869eebd00ccf5e504d8730b312efbf1b265f6d338d2c72d
                            • Instruction ID: 64977588999548d6247546f1d7fe72f77c10104e888ea0dbd4ce5c53f87dddd8
                            • Opcode Fuzzy Hash: deb4a1c2086ca34d2869eebd00ccf5e504d8730b312efbf1b265f6d338d2c72d
                            • Instruction Fuzzy Hash: 77119435384305BAEA315E56EC07FA73BADEB51B54F040054FA01A61D1E9A2DA10F775
                            Function 00DAE46D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB360B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextA
                            • API String ID: 689400697-848437295
                            • Opcode ID: 633087edfde2f68bb47261b14267e125a5daf245b454dbb2927d5e57ae45b585
                            • Instruction ID: d7a1cdd970deefc0b9ba524ce1c3a78a833dc5445281ec20ed0ccf819f42b62e
                            • Opcode Fuzzy Hash: 633087edfde2f68bb47261b14267e125a5daf245b454dbb2927d5e57ae45b585
                            • Instruction Fuzzy Hash: 73110A35380304FAEB325A56EC07FAB3B6CDB51B64F040054F941A61E1D9A2DA11F7B5
                            Function 00D81A7D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • ncrush_context_reset.GETSCREEN-156413884-X86(00000000,00000000), ref: 00D81B36
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c, xrefs: 00D81B19
                            • com.freerdp.codec, xrefs: 00D81AF1
                            • ncrush_context_new: failed to initialize tables, xrefs: 00D81B0F
                            • ncrush_context_new, xrefs: 00D81B14
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ncrush_context_reset
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c$com.freerdp.codec$ncrush_context_new$ncrush_context_new: failed to initialize tables
                            • API String ID: 2838332675-904927664
                            • Opcode ID: 5beb58443ae4acf6553ade6ffe48762b4b104013af54215ae2096fca8978c0e7
                            • Instruction ID: 92ea939e86af608edb07a1b05139b89813acb907b2eb101fa3b390d080ead838
                            • Opcode Fuzzy Hash: 5beb58443ae4acf6553ade6ffe48762b4b104013af54215ae2096fca8978c0e7
                            • Instruction Fuzzy Hash: C01108723007067AE314BB15AC42FA7B7DCEB41754F20411DF608A66C1EBB2A951CBB0
                            Function 00DAE4BF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB36CE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesW
                            • API String ID: 689400697-3413647607
                            • Opcode ID: e1f6dbac7b1aecb37c71ce92d399cd3bf0e4fa6a14009dd2e1820232b963d726
                            • Instruction ID: 13d2b840c005fe16bd761178484a735cc88847a3272b82e0f65e5ccd2380754b
                            • Opcode Fuzzy Hash: e1f6dbac7b1aecb37c71ce92d399cd3bf0e4fa6a14009dd2e1820232b963d726
                            • Instruction Fuzzy Hash: 9E11E9B5384340FBEB215A56EC07FA73BACEB92B54F040094F941AA1E1DDA2DA11F771
                            Function 00DAE4B6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB378E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesA
                            • API String ID: 689400697-3754301720
                            • Opcode ID: f8d11526cb3e0c97667efc20a61aa2108bb6d5ed5f4ab4bd00d595dca7856f30
                            • Instruction ID: c806a74fe92bc68c6fdc9ab5d333bd96d2b614cf75e6c15e968bcfe6459788ff
                            • Opcode Fuzzy Hash: f8d11526cb3e0c97667efc20a61aa2108bb6d5ed5f4ab4bd00d595dca7856f30
                            • Instruction Fuzzy Hash: DA110A75380341FAEA211756EC07EA73B6CEB51B54F0400A4F940A61D1DD62DA11F7B1
                            Function 00DAE4AD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3E7E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesW
                            • API String ID: 689400697-2578917824
                            • Opcode ID: 38f2a77e898e7e163c11fdc0bfcc9f65d14a511f9a656ed72ba8f386fba3ff76
                            • Instruction ID: 10bcb6ab69531a0aca6f23e91eebb113bf73fc2f975c91fca904e8748798339a
                            • Opcode Fuzzy Hash: 38f2a77e898e7e163c11fdc0bfcc9f65d14a511f9a656ed72ba8f386fba3ff76
                            • Instruction Fuzzy Hash: BB110636384300FBEA325A56EC03FAB3B6CEB95F64F040155F901A60D1D962DA11F771
                            Function 00DAE4A4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3F3E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesA
                            • API String ID: 689400697-3211427146
                            • Opcode ID: b1dc4295e170f856977553b8e1e652cf5c0624be3037165d26d98fe6798714de
                            • Instruction ID: d7056a98cee6e8cbd47c9d80d97d890a5378d7e7efe5ff176d0a28d55d5a0a86
                            • Opcode Fuzzy Hash: b1dc4295e170f856977553b8e1e652cf5c0624be3037165d26d98fe6798714de
                            • Instruction Fuzzy Hash: EB11C135784301FAEA226A56EC03EBB3F6DEB95B60F040094F940A60D1D9B2DA10A771
                            Function 00DAE4DA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB30AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoW
                            • API String ID: 689400697-2261828479
                            • Opcode ID: 479954bcacd58462f064905597a1cf0662988a32b5ebacc39d15cd97721b4f16
                            • Instruction ID: 29b1fd94e8362ca86afcf5ca7f755991f49405afd8851eb643728b2e683139ba
                            • Opcode Fuzzy Hash: 479954bcacd58462f064905597a1cf0662988a32b5ebacc39d15cd97721b4f16
                            • Instruction Fuzzy Hash: 3011E535388301BAEA31665AEC07FA73BACDB92F64F040094F905A61D1D9A2DA10F7B1
                            Function 00DAE4D1 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB316A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoA
                            • API String ID: 689400697-3351603741
                            • Opcode ID: 3fdb74aa583da4b10fa1f679e6d3788faae2f47ce1203347492f9f2a37764dc1
                            • Instruction ID: d61e4e64d0efc07c5fd5e13082f808007015ab2ba8af43fcf7caf4042f5f9962
                            • Opcode Fuzzy Hash: 3fdb74aa583da4b10fa1f679e6d3788faae2f47ce1203347492f9f2a37764dc1
                            • Instruction Fuzzy Hash: 4711E935784305BAEA31265AEC07FA73F6CDB92B50F0400A4F941A61D2DAA2DA10F7B1
                            Function 00DAE4C8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3FFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityContextToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityContextToken
                            • API String ID: 689400697-2156878011
                            • Opcode ID: a4ff2916a27b452caa9e82b9a34f3abf3892de5e0ce0fb46b0075721acc985c1
                            • Instruction ID: 5c3d553feabd92e531ca834255a982a26fcb479e8932d6c676dc6d6db17decf7
                            • Opcode Fuzzy Hash: a4ff2916a27b452caa9e82b9a34f3abf3892de5e0ce0fb46b0075721acc985c1
                            • Instruction Fuzzy Hash: 75110C39384305FBE631B656EC07F673B6CDB91B64F040054F645A60D2D9A2D910E7B5
                            Function 00DAE449 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB2F33
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesW
                            • API String ID: 689400697-255015424
                            • Opcode ID: c7434e5d4cd3d8e42e0a2f4f77ac716c28d993c0389cc0c4fb20377075966082
                            • Instruction ID: 5d03a45bc6d7432c2bb7df8efd4d2650badde5cfccf72cb24ac055a3a49876af
                            • Opcode Fuzzy Hash: c7434e5d4cd3d8e42e0a2f4f77ac716c28d993c0389cc0c4fb20377075966082
                            • Instruction Fuzzy Hash: 4011C636788305BAEA216657EC07FB73F6CDF95B60F040094F905A60E1D962D910E7B1
                            Function 00DAE440 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB2FF0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesA
                            • API String ID: 689400697-1149382491
                            • Opcode ID: ef5b085fc55fbc7905c4695608fa6360fce87cddd9d7b3805d02c5c29cec0183
                            • Instruction ID: b5564198682657a00847c51bdac65331266f4ba04c0c0c793ac9b02a34d6acc2
                            • Opcode Fuzzy Hash: ef5b085fc55fbc7905c4695608fa6360fce87cddd9d7b3805d02c5c29cec0183
                            • Instruction Fuzzy Hash: C311C635784340BAE7312A5AEC07EAB3B6CDF92B64F0400D4F904A60D1D9A2DE10F7B1
                            Function 00DAE41C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3920
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: ApplyControlToken: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_ApplyControlToken
                            • API String ID: 689400697-2845897268
                            • Opcode ID: 686be234af18e3545d6e883262fb2a6769b4cbb9d40d24f308dc26010e85b475
                            • Instruction ID: 21c72281ed06f16267e44013f8c90a35e8c5a5158f0ded67f7d1824354aa7ff3
                            • Opcode Fuzzy Hash: 686be234af18e3545d6e883262fb2a6769b4cbb9d40d24f308dc26010e85b475
                            • Instruction Fuzzy Hash: AD11E935384300FBEE21265AEC07EA73F6CDB91BA4F040168F540A60D1D9A2CE10FBB5
                            Function 00DAE425 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB39DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$CompleteAuthToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_CompleteAuthToken
                            • API String ID: 689400697-1972714555
                            • Opcode ID: 02e07b05f845aaddfe4f1da853e31e7959541ef7989d2cd1f2d1e2a11ca649c4
                            • Instruction ID: 4aa0f167b85b42ca8ff6b14526edbca7b413c4a4e50f33d463af29e609189d2b
                            • Opcode Fuzzy Hash: 02e07b05f845aaddfe4f1da853e31e7959541ef7989d2cd1f2d1e2a11ca649c4
                            • Instruction Fuzzy Hash: 29118635384301FBEA216656EC07E673B6CDB91F54F140164F541A61D1D9A2DA10F6B1
                            Function 00D8954D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_image_copy.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00D895B5
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00D895F0
                            • com.freerdp.color, xrefs: 00D895C8
                            • SmartScaling requested but compiled without libcairo support!, xrefs: 00D895E6
                            • freerdp_image_scale, xrefs: 00D895EB
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_image_copy
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$SmartScaling requested but compiled without libcairo support!$com.freerdp.color$freerdp_image_scale
                            • API String ID: 1523062921-212429655
                            • Opcode ID: 7670fec4113b2f21ce419415567660a2b9db773eb64ea27869a9fbb05041631b
                            • Instruction ID: 34f3b93c13310a42f0bb55862021cc83e53feddc6b80ddd4d5050efdda4ab531
                            • Opcode Fuzzy Hash: 7670fec4113b2f21ce419415567660a2b9db773eb64ea27869a9fbb05041631b
                            • Instruction Fuzzy Hash: 6021D67224020DBBDF15AF14DC12FBE3BA9EB14700F485105FD04A61A0E372E951DF60
                            Function 00DAE4E3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB4241
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$RevertSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_RevertSecurityContext
                            • API String ID: 689400697-954186549
                            • Opcode ID: bfa845a104817d139d4c298e76ab31afdcbcdfc91bf428712e5623bfed8f384b
                            • Instruction ID: 74c60c9320d5f8ff0b8a1f62143b0aea4e7ceda483665ebc893f2b28e7659466
                            • Opcode Fuzzy Hash: bfa845a104817d139d4c298e76ab31afdcbcdfc91bf428712e5623bfed8f384b
                            • Instruction Fuzzy Hash: 3E11C275384300BAEA216656BC07FA73B5CDB91B64F0400A5F900A60D2D9A2DA10F6B9
                            Function 00DAE45B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3B54
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeContextBuffer: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeContextBuffer
                            • API String ID: 689400697-1791514552
                            • Opcode ID: 5c63f8e7fcc6626b28fe669cc521de06139d53c88114aee292fa02794c0f3f99
                            • Instruction ID: 44c1f1793e30786f5d6c551bd1b94906e2b077dec11e737fb184aaaadc32a0fb
                            • Opcode Fuzzy Hash: 5c63f8e7fcc6626b28fe669cc521de06139d53c88114aee292fa02794c0f3f99
                            • Instruction Fuzzy Hash: 8711A535384301BBEA212656EC07EA73B5CDB92B54F0400A4F941AA1D1EDA2DA10B7B9
                            Function 00DAE464 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3C0E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImpersonateSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImpersonateSecurityContext
                            • API String ID: 689400697-4242683877
                            • Opcode ID: 871fc2bbcf2c46159d6b0661d6b2b5a7a44a5fe97f004d292dc4e7985ec164f0
                            • Instruction ID: 431a5f2e896169f4d81a2cf06e9a7c7cdcb26d05f3dafb39bb01086e9fd13225
                            • Opcode Fuzzy Hash: 871fc2bbcf2c46159d6b0661d6b2b5a7a44a5fe97f004d292dc4e7985ec164f0
                            • Instruction Fuzzy Hash: D611C835384300FBE6212656EC07FA73F5CDB92F50F0401A4F941A61E2D992DB11F6B5
                            Function 00DAE510 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB348E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeCredentialsHandle: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeCredentialsHandle
                            • API String ID: 689400697-3116451197
                            • Opcode ID: 1409ef787062f5453defe90b9ba9f8e1a566c10a8ac02463e99c8e07e4509588
                            • Instruction ID: 3b941353c5ec6e0560fe93aa40b6b9c04dfcf444844c52fe4f49971b83152074
                            • Opcode Fuzzy Hash: 1409ef787062f5453defe90b9ba9f8e1a566c10a8ac02463e99c8e07e4509588
                            • Instruction Fuzzy Hash: 01110835384301FAEA322626EC07F673B9CDB92B54F0440A4F545A60D1D992DE50F6B5
                            Function 00DAE507 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3A9A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DeleteSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DeleteSecurityContext
                            • API String ID: 689400697-4185332897
                            • Opcode ID: 42d94eeae4b5b9a598ea7349f333e4a0021de697c8b6a4960d89686d9679c88a
                            • Instruction ID: 1efd685cf09d506ea53561d1de4bdd83493ca27a540bc868c24e2d4f69ed7731
                            • Opcode Fuzzy Hash: 42d94eeae4b5b9a598ea7349f333e4a0021de697c8b6a4960d89686d9679c88a
                            • Instruction Fuzzy Hash: 0511E535784300FAE632665AEC07FA73B5CDB92B54F040168F944E60E1D992DA11B6B5
                            Function 00E365C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • primitives_get.GETSCREEN-156413884-X86 ref: 00E365CB
                            Strings
                            • com.freerdp.codec, xrefs: 00E3660B
                            • yuv_process_work_callback, xrefs: 00E3662E
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c, xrefs: 00E36633
                            • error when decoding lines, xrefs: 00E36629
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: primitives_get
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c$com.freerdp.codec$error when decoding lines$yuv_process_work_callback
                            • API String ID: 2017034601-2620645302
                            • Opcode ID: 5f235f30597290e64c0b663bf6157f4d58c2ee7ca260f72bdd303ace9b5944de
                            • Instruction ID: 0658d8e2b553374ff7192685a6f3cd1725393b054ec1ee39a915d34824c9b826
                            • Opcode Fuzzy Hash: 5f235f30597290e64c0b663bf6157f4d58c2ee7ca260f72bdd303ace9b5944de
                            • Instruction Fuzzy Hash: CB0196B1600306BFDB14DF64DC02F5A7BA8FF06718F004159F904EA281EAB5E940CBB5
                            Function 00D89EF7 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                            Download Yara Rule
                            APIs
                            • region16_extents.GETSCREEN-156413884-X86(?), ref: 00D89F06
                            • region16_extents.GETSCREEN-156413884-X86(?,?), ref: 00D89F12
                            • region16_n_rects.GETSCREEN-156413884-X86(?,?,?), ref: 00D89F1D
                            • region16_n_rects.GETSCREEN-156413884-X86(?), ref: 00D89F7D
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: region16_extentsregion16_n_rects
                            • String ID:
                            • API String ID: 2062899502-0
                            • Opcode ID: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
                            • Instruction ID: 0117f150602412b3be55513778fe053282ae775071e97130aba6e26abd5f369b
                            • Opcode Fuzzy Hash: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
                            • Instruction Fuzzy Hash: 87512875A0022AABCB14DF99C8408BEF7F5FF18310B15816AE859E7250E335AE40CBB4
                            Function 007A8E40 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(00FE1278,007A8C90,007A8EC0,00000000), ref: 007A8E6A
                            • GetLastError.KERNEL32 ref: 007A8E7F
                            • TlsGetValue.KERNEL32 ref: 007A8E8D
                            • SetLastError.KERNEL32(00000000), ref: 007A8E96
                            • TlsAlloc.KERNEL32 ref: 007A8EC3
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorLastOnce$AllocExecuteInitValue
                            • String ID:
                            • API String ID: 2822033501-0
                            • Opcode ID: 10e15f695bce760c7e9cfb5ce4c038cc2aba84e6765c7987a933adc9bad3728d
                            • Instruction ID: df1ea4469e373195183c178e20251ef794ba4659a3b25d75efd74e0968f767a5
                            • Opcode Fuzzy Hash: 10e15f695bce760c7e9cfb5ce4c038cc2aba84e6765c7987a933adc9bad3728d
                            • Instruction Fuzzy Hash: 6301C87960020C9FCB009FB6EC49B6E77B8FB46B11B404225F915E7290EB3099088B61
                            Function 00E349E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_print.GETSCREEN-156413884-X86(?,?,?), ref: 00E34A72
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: audio_format_print
                            • String ID: AUDIO_FORMATS (%hu) ={$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_formats_print
                            • API String ID: 2744001552-3527835062
                            • Opcode ID: 190b4eed6e8eb1bfef3c354a6c4be8922e1d4cc71d4c945d923ffda63c261f84
                            • Instruction ID: b78a942341c6e3ef25444726e57ef43ec42734cb83659480e3f1fbda42139c21
                            • Opcode Fuzzy Hash: 190b4eed6e8eb1bfef3c354a6c4be8922e1d4cc71d4c945d923ffda63c261f84
                            • Instruction Fuzzy Hash: 9511B4B228031536DB11AE155C46FAF2F9CDF63B64F040015FD14B21C2F6A1E601D2BB
                            Function 00D311D7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • getChannelError.GETSCREEN-156413884-X86(?), ref: 00D31248
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ChannelError
                            • String ID: ($ChannelDetached$freerdp
                            • API String ID: 1163697128-436519898
                            • Opcode ID: d41152332e34c1132b17fc4ebc57e4b237890b6d19fcfe298640a9fb059c40de
                            • Instruction ID: fc80bfe549b8597e74f5623f85120fd146f05f3c631305c3a6c06a9ddc4a1d40
                            • Opcode Fuzzy Hash: d41152332e34c1132b17fc4ebc57e4b237890b6d19fcfe298640a9fb059c40de
                            • Instruction Fuzzy Hash: 7C212C75A00209EFDB10DF98C885FAEBBF9FF08344F144469E944EB251D770AA549BA0
                            Function 00D30B41 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • getChannelError.GETSCREEN-156413884-X86(?), ref: 00D30BB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ChannelError
                            • String ID: ($ChannelAttached$freerdp
                            • API String ID: 1163697128-2646891115
                            • Opcode ID: 068b98a21e688adcc1a7a8ef4bb56f7f67ea8c15b542e4d7e67dc6f7d4de20b9
                            • Instruction ID: f91ad36d8a6de8015f64d295c82b2d5ed3997809a739205efbd6b358ca96a36e
                            • Opcode Fuzzy Hash: 068b98a21e688adcc1a7a8ef4bb56f7f67ea8c15b542e4d7e67dc6f7d4de20b9
                            • Instruction Fuzzy Hash: 82210C71A00209EFDF14DF98C885FAEBBF9FF08344F1445A9E944A7252D771AA509BA0
                            Function 00DA783A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: audin$rdpsnd
                            • API String ID: 0-930729200
                            • Opcode ID: 6f8f7c70f85235a5e8cfa22d1d5172d6193b23b90d8a430442da5d604fd0f399
                            • Instruction ID: f8d5fcc491c9a5b0804bee04886522f5f4ebedceeef8fc4138f87d240f1a78ee
                            • Opcode Fuzzy Hash: 6f8f7c70f85235a5e8cfa22d1d5172d6193b23b90d8a430442da5d604fd0f399
                            • Instruction Fuzzy Hash: 8D116071A09E16ABDB24CF34CC806AAF3A4FB06B41F19422AE45853140D730A990CBF2
                            Function 00E34701 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_get_tag_string.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?), ref: 00E34737
                            Strings
                            • %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu, xrefs: 00E3473E
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c, xrefs: 00E34748
                            • audio_format_print, xrefs: 00E34743
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: audio_format_get_tag_string
                            • String ID: %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_format_print
                            • API String ID: 2866491501-3564663344
                            • Opcode ID: c52e0dd6431addf09f15b8af9c1846588221c8247c802d37eaa2d35c0adcb67b
                            • Instruction ID: c2d6e60e98c7b835152735da8c56021c325244e8a3b4f5dbb22e345a41e2b73d
                            • Opcode Fuzzy Hash: c52e0dd6431addf09f15b8af9c1846588221c8247c802d37eaa2d35c0adcb67b
                            • Instruction Fuzzy Hash: 00F030B6140308BADB411F51CC02E763B6DEB49B14F248089FD5C9C1D2E677D9A2E775
                            Function 00D22713 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_get_last_error.GETSCREEN-156413884-X86(?), ref: 00D22725
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,0002000B,freerdp_abort_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,0000013A), ref: 00D22745
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00D22734
                            • freerdp_abort_connect, xrefs: 00D22739
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_get_last_errorfreerdp_set_last_error_ex
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$freerdp_abort_connect
                            • API String ID: 3690923134-629580617
                            • Opcode ID: 8b84df513927c2faf32e9f7b4c90c45f57ed35bad4788dd2aa2a229fc031dfbd
                            • Instruction ID: 77cffd4ec60be4181f7003ad927b34deaf9b401c806ea308a7082c46035d468c
                            • Opcode Fuzzy Hash: 8b84df513927c2faf32e9f7b4c90c45f57ed35bad4788dd2aa2a229fc031dfbd
                            • Instruction Fuzzy Hash: 89E0D831244334FADA312D10FC02B65F794DF20B98F180425B9C476091E6625A52D5B0
                            Function 00E3632D Relevance: 6.2, APIs: 4, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            • primitives_get.GETSCREEN-156413884-X86 ref: 00E3633F
                            • primitives_flags.GETSCREEN-156413884-X86(00000000), ref: 00E36353
                            • TpWaitForWork.NTDLL(00000000,00000000), ref: 00E364A9
                            • TpReleaseWork.NTDLL(00000000), ref: 00E364B2
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Work$ReleaseWaitprimitives_flagsprimitives_get
                            • String ID:
                            • API String ID: 704174238-0
                            • Opcode ID: b920dafea80bb627aefb0e9e8478b1e68d6ca8f887ac2a9f61730828152ae3fc
                            • Instruction ID: 2b7fc61857ff02761cc6b341b4245fba17855e57bcc136ed75aeafbd03bf2853
                            • Opcode Fuzzy Hash: b920dafea80bb627aefb0e9e8478b1e68d6ca8f887ac2a9f61730828152ae3fc
                            • Instruction Fuzzy Hash: 706129B5A0060AEFCB04CF68C985AAEBBF5FF48310B14856AE815E7350D734E951CF90
                            Function 00D8C297 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            • gdi_SetRgn.GETSCREEN-156413884-X86(?,?,?,?,00000000,00000001,?,?), ref: 00D8C324
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: gdi_
                            • String ID:
                            • API String ID: 2273374161-0
                            • Opcode ID: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
                            • Instruction ID: 865086a72daf1fc43b38fa515c4be89aa5b458284a2074a5c771625b1c1c0e67
                            • Opcode Fuzzy Hash: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
                            • Instruction Fuzzy Hash: F131B5B1910209EFCB10EF99C9859AEBBF9FF48310F14806AE915E7211D335EA45CBB0
                            Function 00DB5C02 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00DB5C16
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00DB5C34
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00DB5C54
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00DB5C9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CriticalSection$Leave$Enter
                            • String ID:
                            • API String ID: 2978645861-0
                            • Opcode ID: 2051ef1a389456390ea4a02a62146902d93c7182408f966d18c8a74e2836429c
                            • Instruction ID: e38ed5523884334c0f83bde73e0370e7a495f8a60b77feac70ee047c77d25a78
                            • Opcode Fuzzy Hash: 2051ef1a389456390ea4a02a62146902d93c7182408f966d18c8a74e2836429c
                            • Instruction Fuzzy Hash: FD21AF75200B05EFDB208F15E980BA97BF5FB45321F144469F883A7294E770AD82CB60
                            Function 00E0B6E0 Relevance: 6.1, APIs: 4, Instructions: 66threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E1F42C: GetLastError.KERNEL32(00000000,?,00E05FDD,00E1F0E3,?,?,00DAF77A,0000000C,?,?,?,?,00D227D2,?,?,?), ref: 00E1F581
                              • Part of subcall function 00E1F42C: SetLastError.KERNEL32(00000000,000000FF,00000006), ref: 00E1F623
                            • CloseHandle.KERNEL32(?,?,?,00E0B817,?,?,00E0B689,00000000), ref: 00E0B711
                            • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00E0B817,?,?,00E0B689,00000000), ref: 00E0B727
                            • RtlExitUserThread.NTDLL(?,?,?,00E0B817,?,?,00E0B689,00000000), ref: 00E0B730
                            • GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 00E0B76E
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorExitHandleLastThread$CloseFreeLibraryModuleUser
                            • String ID:
                            • API String ID: 1062721995-0
                            • Opcode ID: 5fdca9eb63c1685f58f9aeef6c9b09c5ed7425e20f72609187b24c96ae3ccb29
                            • Instruction ID: ba0cb5e9fc13dfc67c326608319cbcd06c7e4502fe827571840ed75a7e2226d9
                            • Opcode Fuzzy Hash: 5fdca9eb63c1685f58f9aeef6c9b09c5ed7425e20f72609187b24c96ae3ccb29
                            • Instruction Fuzzy Hash: E311E9B5500204AFC7209F66DC09E9A7BE8EFC0764F185226F925E72D0DB70DD85C690
                            Function 00D89BBD Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • region16_rects.GETSCREEN-156413884-X86(?,00000000), ref: 00D89BDC
                            • region16_extents.GETSCREEN-156413884-X86(?), ref: 00D89BEC
                            • rectangles_intersects.GETSCREEN-156413884-X86(00000000,?), ref: 00D89BF7
                              • Part of subcall function 00D897FD: rectangles_intersection.GETSCREEN-156413884-X86(?,?,?), ref: 00D8980C
                            • rectangles_intersects.GETSCREEN-156413884-X86(00000000,?), ref: 00D89C1A
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: rectangles_intersects$rectangles_intersectionregion16_extentsregion16_rects
                            • String ID:
                            • API String ID: 3854534691-0
                            • Opcode ID: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
                            • Instruction ID: 0575a324d9b2fa8be085287289a6ccd6c0cf7cd34b7bd0c6f810b4baa4b384e3
                            • Opcode Fuzzy Hash: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
                            • Instruction Fuzzy Hash: 02018833114219599B14BA95D8A167BE3DCDB40B65F1C401AFCD996040EB36EC41E3B4
                            Function 00DA1F3D Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_new.GETSCREEN-156413884-X86 ref: 00DA1F56
                            • freerdp_context_new.GETSCREEN-156413884-X86(00000000,00000000,?,?), ref: 00DA1FA4
                            • freerdp_register_addin_provider.GETSCREEN-156413884-X86(?,00000000), ref: 00DA1FC7
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_context_newfreerdp_newfreerdp_register_addin_provider
                            • String ID:
                            • API String ID: 3731710698-0
                            • Opcode ID: 74a280b276fa9d87e9d62b2bbf8a32d4bd07aa9f8dacbb2c23376f3b90678468
                            • Instruction ID: e591f37dd9937fec0c38606d067f006661a19f183e342d3829314738e0e16862
                            • Opcode Fuzzy Hash: 74a280b276fa9d87e9d62b2bbf8a32d4bd07aa9f8dacbb2c23376f3b90678468
                            • Instruction Fuzzy Hash: 41119E36604B126FC725AB66D801B96B7E9FF56324F14041DF85887281EB70E890CAB0
                            Function 00DB68CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,?,00DB6A0A,?,?,00000000,?,00DAE976,00000000), ref: 00DB697B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpin
                            • String ID: %s: unknown handler type %u$WLog_Appender_New
                            • API String ID: 2593887523-3466059274
                            • Opcode ID: edd1ce3d46c7b373a171b8ea6b81a68c115e6608419e51f733cad571ce48b65e
                            • Instruction ID: c5110ca0ada2ce926ef0bf8d43e1cd3b6f421ce4bc4164a16208b23e8d0b8fb4
                            • Opcode Fuzzy Hash: edd1ce3d46c7b373a171b8ea6b81a68c115e6608419e51f733cad571ce48b65e
                            • Instruction Fuzzy Hash: DF112536108301E68E323A799C4ADFF6B68DB42F30B180019F547A6192DE3CE8016D72
                            Function 00D23FD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s%s-client.%s$DeviceServiceEntry
                            • API String ID: 0-2733899524
                            • Opcode ID: 3a0462b2f0e3e23754738fcb9b3071a3023d73991357c137ac18e7a06c72f3a4
                            • Instruction ID: f7a36ce2ae6b223a27ec4c6182b0829b2dbd0397efc93a064b9640213c867174
                            • Opcode Fuzzy Hash: 3a0462b2f0e3e23754738fcb9b3071a3023d73991357c137ac18e7a06c72f3a4
                            • Instruction Fuzzy Hash: 2011C872A003256BDB119F99D981AAF7BACDF50754F0C4019FD10D7241D770CE5187B0
                            Function 00D64029 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00D64060
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D64076
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: File$CreatePointer
                            • String ID: %s %hu %s %s %s
                            • API String ID: 2024441833-2916857029
                            • Opcode ID: 33480d54ee1fc694bfc67d7ce4117a60aca3bc79cb853f8b12fd1bf61899e848
                            • Instruction ID: b490dff442f3aeb5440e35ec35a8f1f2b186badf70c9bdda6671abf84705406f
                            • Opcode Fuzzy Hash: 33480d54ee1fc694bfc67d7ce4117a60aca3bc79cb853f8b12fd1bf61899e848
                            • Instruction Fuzzy Hash: A901D635201220BBDB212B66EC4EFA77F2DEF46774F248154FA1D990E2D722C856D6B0
                            Function 00DAEBD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,00000000,?,00DAE987), ref: 00DAEBF6
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,?,?,00DAE987), ref: 00DAEC1A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WLOG_FILTER
                            • API String ID: 1431749950-2006202657
                            • Opcode ID: 722a116722c3e7fcc9e1ed5b7da1f6f22f4268371e69f2cdb388a42c938a2fa4
                            • Instruction ID: 7f01110f6393b80d2f5ee6e9a5a862490ca5927c4fb9701740dd86147845830d
                            • Opcode Fuzzy Hash: 722a116722c3e7fcc9e1ed5b7da1f6f22f4268371e69f2cdb388a42c938a2fa4
                            • Instruction Fuzzy Hash: 39F0963331421A2E96202766BC49D1B7FADDAD67B9350002AF409D7191EB6E4C52C6B5
                            Function 00DB4BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00DB4AE3), ref: 00DB4BCC
                            • GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00DB4AE3), ref: 00DB4BEC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WINPR_NATIVE_SSPI
                            • API String ID: 1431749950-1020623567
                            • Opcode ID: 2b516e857c476f855e7bc51fc317a6296e7317a3ae8ac5490c45f6ff7916a1a0
                            • Instruction ID: 8645578d329a741f9e3308693758075d967ba0ddc93bf59bc947d978e4183e4b
                            • Opcode Fuzzy Hash: 2b516e857c476f855e7bc51fc317a6296e7317a3ae8ac5490c45f6ff7916a1a0
                            • Instruction Fuzzy Hash: 22F0823B75A6326AD625626A6C05FBB4E65CB82F21B291119F502E30C3CA44984365F6
                            Function 00D7A2AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • rfx_context_new.GETSCREEN-156413884-X86(?), ref: 00D7A2ED
                              • Part of subcall function 00D6E4DD: GetVersionExA.KERNEL32(?), ref: 00D6E5CD
                              • Part of subcall function 00D6E4DD: GetNativeSystemInfo.KERNEL32(?), ref: 00D6E5E7
                              • Part of subcall function 00D6E4DD: RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00D6E612
                            • progressive_context_free.GETSCREEN-156413884-X86(00000000), ref: 00D7A36D
                            Strings
                            • com.freerdp.codec.progressive, xrefs: 00D7A2CA
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: InfoNativeOpenSystemVersionprogressive_context_freerfx_context_new
                            • String ID: com.freerdp.codec.progressive
                            • API String ID: 2699998398-3622116780
                            • Opcode ID: e80f1ca7b0b9a3f536b6ae6a096d8657c092011a7513b15a642b448b699064a0
                            • Instruction ID: 38825a15cd94c9ba1e78fd72761be04ef39e501aa24b79336810cbcbf51792ba
                            • Opcode Fuzzy Hash: e80f1ca7b0b9a3f536b6ae6a096d8657c092011a7513b15a642b448b699064a0
                            • Instruction Fuzzy Hash: 63F08936A057025AE2247BB99802F5F7BD8DF82B70F28402EF54DA65C2FA709441C676
                            Function 00D61ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_get_key_for_name.GETSCREEN-156413884-X86(?), ref: 00D61EEF
                            • freerdp_settings_get_type_for_key.GETSCREEN-156413884-X86(00000000), ref: 00D61F51
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_get_key_for_namefreerdp_settings_get_type_for_key
                            • String ID: TRUE
                            • API String ID: 1888880752-3412697401
                            • Opcode ID: 9bb1714707bed91c75a052e2304897d19b04baa083934ea9be81d208935aae6f
                            • Instruction ID: b59e18c45f76e8cb7834602dbca05ee10fd7ab38f0e2da75da32075b9a8c48f1
                            • Opcode Fuzzy Hash: 9bb1714707bed91c75a052e2304897d19b04baa083934ea9be81d208935aae6f
                            • Instruction Fuzzy Hash: 56E02B373043287BDA115A9ADC82D9F735CEF46F75B0D006AF504A7242EB70D94045B0
                            Function 00DB717D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,00DB7163), ref: 00DB7190
                            • GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,?,00DB7163), ref: 00DB71B1
                              • Part of subcall function 00DB7310: LoadLibraryA.KERNEL32(?,?,00DB71C4,00000000,?,?,00DB7163), ref: 00DB7316
                              • Part of subcall function 00DB7310: GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00DB732B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable$AddressLibraryLoadProc
                            • String ID: WTSAPI_LIBRARY
                            • API String ID: 3590464466-1122459656
                            • Opcode ID: e12addbdc36646cee03b243a29ca750c606ef4fb6162b47a6bb0b2e203fba580
                            • Instruction ID: ebb701fc6179a25c96baba2534b81a498419048c04fef450f2c414f7084b9228
                            • Opcode Fuzzy Hash: e12addbdc36646cee03b243a29ca750c606ef4fb6162b47a6bb0b2e203fba580
                            • Instruction Fuzzy Hash: 4BE09B3620D713AFD231226DBC0AFDF1B55DBC3BA5F241119F402AA1C5AF54584295B6
                            Function 00DB7310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?,?,00DB71C4,00000000,?,?,00DB7163), ref: 00DB7316
                            • GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00DB732B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.20746483920.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000000.00000002.20746373194.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000000FDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20746483920.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.20758848514.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: InitWtsApi
                            • API String ID: 2574300362-3428673357
                            • Opcode ID: b7cef5466d7c6a348d9e61d2ae311140cd5e13b7d601afb1794d727de40a3ad3
                            • Instruction ID: 8b2d8612ac34271469e120eacf3ed32b65b090a5f906fd2829dfd24e13e10197
                            • Opcode Fuzzy Hash: b7cef5466d7c6a348d9e61d2ae311140cd5e13b7d601afb1794d727de40a3ad3
                            • Instruction Fuzzy Hash: BCD0C271708605DF8B00AFF6AC065123BDC9740F447040432E819C6190EB71C410A660

                            Execution Graph

                            Execution Coverage:0.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:57
                            Total number of Limit Nodes:4
                            execution_graph 12891 1e929e0 12893 1e929f8 12891->12893 12892 1e92b03 LoadLibraryA 12892->12893 12893->12892 12895 1e92b2c GetProcAddress 12893->12895 12896 1e92b48 VirtualProtect VirtualProtect 12893->12896 12895->12893 12898 1e92b42 ExitProcess 12895->12898 12897 1e92bc0 12896->12897 12899 e0b62b 12900 e0b637 12899->12900 12901 e0b64b 12900->12901 12902 e0b63e GetLastError RtlExitUserThread 12900->12902 12905 e1f42c GetLastError 12901->12905 12902->12901 12904 e0b650 12906 e1f442 12905->12906 12916 e1f44c SetLastError 12906->12916 12932 e1f717 12906->12932 12909 e1f4dc 12909->12904 12910 e1f479 12911 e1f481 12910->12911 12912 e1f4b9 12910->12912 12936 e1f066 12911->12936 12940 e1f25a 12912->12940 12913 e1f4e1 12919 e1f717 RtlAllocateHeap 12913->12919 12920 e1f4fe 12913->12920 12916->12909 12916->12913 12918 e1f066 2 API calls 12918->12916 12923 e1f522 12919->12923 12921 e1f57d GetLastError 12920->12921 12931 e1f503 12920->12931 12922 e1f593 12921->12922 12928 e1f622 SetLastError 12922->12928 12924 e1f55e 12923->12924 12926 e1f52a 12923->12926 12927 e1f25a 2 API calls 12924->12927 12925 e1f066 2 API calls 12925->12920 12926->12925 12929 e1f569 12927->12929 12928->12904 12930 e1f066 2 API calls 12929->12930 12930->12931 12931->12904 12935 e1f730 12932->12935 12933 e1f74f RtlAllocateHeap 12934 e1f764 12933->12934 12933->12935 12934->12910 12935->12933 12935->12934 12937 e1f071 HeapFree 12936->12937 12939 e1f093 12936->12939 12938 e1f086 GetLastError 12937->12938 12937->12939 12938->12939 12939->12916 12945 e1f0ee 12940->12945 12946 e1f0fa 12945->12946 12957 e0f2a5 RtlEnterCriticalSection 12946->12957 12948 e1f104 12958 e1f134 12948->12958 12951 e1f200 12952 e1f20c 12951->12952 12962 e0f2a5 RtlEnterCriticalSection 12952->12962 12954 e1f216 12963 e1f24e 12954->12963 12957->12948 12961 e0f2ed RtlLeaveCriticalSection 12958->12961 12960 e1f122 12960->12951 12961->12960 12962->12954 12966 e0f2ed RtlLeaveCriticalSection 12963->12966 12965 e1f23c 12965->12918 12966->12965

                            Executed Functions

                            Function 01E929E0 Relevance: 7.7, APIs: 5, Instructions: 212librarymemoryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 1e929e0-1e929f0 1 1e92a02-1e92a07 0->1 2 1e92a09 1->2 3 1e929f8-1e929fd 2->3 4 1e92a0b 2->4 5 1e929fe-1e92a00 3->5 6 1e92a10-1e92a12 4->6 5->1 5->2 7 1e92a1b-1e92a1f 6->7 8 1e92a14-1e92a19 6->8 9 1e92a2c-1e92a2f 7->9 10 1e92a21 7->10 8->7 13 1e92a38-1e92a3a 9->13 14 1e92a31-1e92a36 9->14 11 1e92a4b-1e92a50 10->11 12 1e92a23-1e92a2a 10->12 15 1e92a63-1e92a65 11->15 16 1e92a52-1e92a5b 11->16 12->9 12->11 13->6 14->13 19 1e92a6e 15->19 20 1e92a67-1e92a6c 15->20 17 1e92a5d-1e92a61 16->17 18 1e92ad2-1e92ad5 16->18 17->19 23 1e92ada 18->23 21 1e92a3c-1e92a3e 19->21 22 1e92a70-1e92a73 19->22 20->19 27 1e92a40-1e92a45 21->27 28 1e92a47-1e92a49 21->28 25 1e92a7c 22->25 26 1e92a75-1e92a7a 22->26 24 1e92adc-1e92ade 23->24 29 1e92ae0-1e92ae3 24->29 30 1e92af7 24->30 25->21 31 1e92a7e-1e92a80 25->31 26->25 27->28 32 1e92a9d-1e92aac 28->32 29->24 33 1e92ae5-1e92af5 29->33 34 1e92afd-1e92b01 30->34 35 1e92a89-1e92a8d 31->35 36 1e92a82-1e92a87 31->36 37 1e92abc-1e92ac9 32->37 38 1e92aae-1e92ab5 32->38 33->23 39 1e92b48-1e92b4b 34->39 40 1e92b03-1e92b19 LoadLibraryA 34->40 35->31 41 1e92a8f 35->41 36->35 37->37 43 1e92acb-1e92acd 37->43 38->38 42 1e92ab7 38->42 47 1e92b4e-1e92b55 39->47 44 1e92b1a-1e92b1f 40->44 45 1e92a9a 41->45 46 1e92a91-1e92a98 41->46 42->5 43->5 44->34 48 1e92b21-1e92b23 44->48 45->32 46->31 46->45 49 1e92b79-1e92bbd VirtualProtect * 2 47->49 50 1e92b57-1e92b59 47->50 51 1e92b2c-1e92b39 GetProcAddress 48->51 52 1e92b25-1e92b2b 48->52 55 1e92bc0-1e92bc1 49->55 53 1e92b5b-1e92b6a 50->53 54 1e92b6c-1e92b77 50->54 56 1e92b3b-1e92b40 51->56 57 1e92b42 ExitProcess 51->57 52->51 53->47 54->53 58 1e92bc5-1e92bc9 55->58 56->44 58->58 59 1e92bcb 58->59
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 01E92B13
                            • GetProcAddress.KERNELBASE(?,01E6CFF9), ref: 01E92B31
                            • ExitProcess.KERNEL32(?,01E6CFF9), ref: 01E92B42
                            • VirtualProtect.KERNELBASE(00740000,00001000,00000004,?,00000000), ref: 01E92B90
                            • VirtualProtect.KERNELBASE(00740000,00001000), ref: 01E92BA5
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                            • String ID:
                            • API String ID: 1996367037-0
                            • Opcode ID: 3c3e4e1660f31b76f3217510b8a4a34511a40d85c57fd981d39193e29dff6a9b
                            • Instruction ID: 391c61bb0c683ec58ecfee36cbc39f1b252ca285cad72aaf2d7eb62838771f35
                            • Opcode Fuzzy Hash: 3c3e4e1660f31b76f3217510b8a4a34511a40d85c57fd981d39193e29dff6a9b
                            • Instruction Fuzzy Hash: C0510473A103136ADF318E6CDCC06ACB795EB452247581738DBE2D73C6E7E858468364
                            Function 00E0B62B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetLastError.KERNEL32(00F60388,0000000C), ref: 00E0B63E
                            • RtlExitUserThread.NTDLL(00000000), ref: 00E0B645
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorExitLastThreadUser
                            • String ID: hp"
                            • API String ID: 1750398979-3535749429
                            • Opcode ID: 20c702f8eb4a4f1d09fa1df70841d5b491034839501e3b64d69212977764bbf0
                            • Instruction ID: e70983f9302ad3213ab65a109bf384cab2291cba1f74aeca5e1488578c76322e
                            • Opcode Fuzzy Hash: 20c702f8eb4a4f1d09fa1df70841d5b491034839501e3b64d69212977764bbf0
                            • Instruction Fuzzy Hash: 93F0C2B5A406049FDB04AFB0E80AB6E7BB4FF41710F205188F011BB2E2CB319981CBA1

                            Non-executed Functions

                            Function 00DAE437 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB43BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EncryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EncryptMessage
                            • API String ID: 689400697-3976766517
                            • Opcode ID: f369313ce97d77256c537f2cd269f98f8828213c85fe734e9aed2eadb1d5a78d
                            • Instruction ID: b9081319dcaf33b24754beb8ac5c78ab50d4c5ef5aaeac8cc1ecbdc5ad09c99c
                            • Opcode Fuzzy Hash: f369313ce97d77256c537f2cd269f98f8828213c85fe734e9aed2eadb1d5a78d
                            • Instruction Fuzzy Hash: 10114635784305BBEA21AE56EC07F673A5CDB91B60F040054F541A61E2D9A2D921E671
                            Function 00DAE42E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB42FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DecryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DecryptMessage
                            • API String ID: 689400697-3301108232
                            • Opcode ID: 3bd30c57549016c991fe5c43270f22717075e25eed3e706dcfc899111b149208
                            • Instruction ID: dd33cee2726611f6ec9e59f22ed0059c62e60ab8a3d6583eb77e36d44d2969aa
                            • Opcode Fuzzy Hash: 3bd30c57549016c991fe5c43270f22717075e25eed3e706dcfc899111b149208
                            • Instruction Fuzzy Hash: 4011AB357C4305BBEA216A56EC43E6F3FACEB95B60F080054F541A61D2D962DA10E771
                            Function 00D55E14 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • crypto_cert_fingerprint.GETSCREEN-156413884-X86(?), ref: 00D55E1C
                              • Part of subcall function 00D5576E: crypto_cert_fingerprint_by_hash.GETSCREEN-156413884-X86(?,sha256), ref: 00D55779
                            • crypto_cert_issuer.GETSCREEN-156413884-X86(?), ref: 00D55E30
                            • crypto_cert_subject.GETSCREEN-156413884-X86(?,?), ref: 00D55E3A
                            • certificate_data_new.GETSCREEN-156413884-X86(?,?,00000000,00000000,00000000,?,?), ref: 00D55E4A
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: certificate_data_newcrypto_cert_fingerprintcrypto_cert_fingerprint_by_hashcrypto_cert_issuercrypto_cert_subject
                            • String ID:
                            • API String ID: 1865246629-0
                            • Opcode ID: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
                            • Instruction ID: 1c0b49ac72356f5ad9bb6363ab6a0902b68539d48f6c4c0547ab9c3a12defea7
                            • Opcode Fuzzy Hash: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
                            • Instruction Fuzzy Hash: ACE0DF36400608BF8F122F69EC06C9F3EBDDF853E0B084124BC1856129DA31CE1096B0
                            Function 00DFFCA9 Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DFFDC9,00F2C654), ref: 00DFFCAE
                            • UnhandledExceptionFilter.KERNEL32(00DFFDC9,?,00DFFDC9,00F2C654), ref: 00DFFCB7
                            • GetCurrentProcess.KERNEL32(C0000409,?,00DFFDC9,00F2C654), ref: 00DFFCC2
                            • TerminateProcess.KERNEL32(00000000,?,00DFFDC9,00F2C654), ref: 00DFFCC9
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                            • String ID:
                            • API String ID: 3231755760-0
                            • Opcode ID: 016b122b261de21273483e79371318767e93e4d76e6305f054fed9ede04224c6
                            • Instruction ID: a7857dc23f70debcd977cb2c300a531c34c70a76bf39b72adb1ed1a1a4242ea3
                            • Opcode Fuzzy Hash: 016b122b261de21273483e79371318767e93e4d76e6305f054fed9ede04224c6
                            • Instruction Fuzzy Hash: B3D012BA200208AFCB002BE2FD0DB493F2CFB4A61AF050000F31AA20F0CB71440A8B65
                            Function 00DB7449 Relevance: 224.3, APIs: 64, Strings: 64, Instructions: 269libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 593 db7449-db745b LoadLibraryA 594 db745e-db78e4 GetProcAddress * 63 call dc001b 593->594 595 db745d 593->595
                            APIs
                            • LoadLibraryA.KERNEL32(wtsapi32.dll,00DB7168), ref: 00DB744E
                            • GetProcAddress.KERNEL32(00000000,WTSStopRemoteControlSession), ref: 00DB746B
                            • GetProcAddress.KERNEL32(WTSStartRemoteControlSessionW), ref: 00DB747D
                            • GetProcAddress.KERNEL32(WTSStartRemoteControlSessionA), ref: 00DB748F
                            • GetProcAddress.KERNEL32(WTSConnectSessionW), ref: 00DB74A1
                            • GetProcAddress.KERNEL32(WTSConnectSessionA), ref: 00DB74B3
                            • GetProcAddress.KERNEL32(WTSEnumerateServersW), ref: 00DB74C5
                            • GetProcAddress.KERNEL32(WTSEnumerateServersA), ref: 00DB74D7
                            • GetProcAddress.KERNEL32(WTSOpenServerW), ref: 00DB74E9
                            • GetProcAddress.KERNEL32(WTSOpenServerA), ref: 00DB74FB
                            • GetProcAddress.KERNEL32(WTSOpenServerExW), ref: 00DB750D
                            • GetProcAddress.KERNEL32(WTSOpenServerExA), ref: 00DB751F
                            • GetProcAddress.KERNEL32(WTSCloseServer), ref: 00DB7531
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsW), ref: 00DB7543
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsA), ref: 00DB7555
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsExW), ref: 00DB7567
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsExA), ref: 00DB7579
                            • GetProcAddress.KERNEL32(WTSEnumerateProcessesW), ref: 00DB758B
                            • GetProcAddress.KERNEL32(WTSEnumerateProcessesA), ref: 00DB759D
                            • GetProcAddress.KERNEL32(WTSTerminateProcess), ref: 00DB75AF
                            • GetProcAddress.KERNEL32(WTSQuerySessionInformationW), ref: 00DB75C1
                            • GetProcAddress.KERNEL32(WTSQuerySessionInformationA), ref: 00DB75D3
                            • GetProcAddress.KERNEL32(WTSQueryUserConfigW), ref: 00DB75E5
                            • GetProcAddress.KERNEL32(WTSQueryUserConfigA), ref: 00DB75F7
                            • GetProcAddress.KERNEL32(WTSSetUserConfigW), ref: 00DB7609
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WTSCloseServer$WTSConnectSessionA$WTSConnectSessionW$WTSCreateListenerA$WTSCreateListenerW$WTSDisconnectSession$WTSEnableChildSessions$WTSEnumerateListenersA$WTSEnumerateListenersW$WTSEnumerateProcessesA$WTSEnumerateProcessesExA$WTSEnumerateProcessesExW$WTSEnumerateProcessesW$WTSEnumerateServersA$WTSEnumerateServersW$WTSEnumerateSessionsA$WTSEnumerateSessionsExA$WTSEnumerateSessionsExW$WTSEnumerateSessionsW$WTSFreeMemory$WTSFreeMemoryExA$WTSFreeMemoryExW$WTSGetActiveConsoleSessionId$WTSGetChildSessionId$WTSGetListenerSecurityA$WTSGetListenerSecurityW$WTSIsChildSessionsEnabled$WTSLogoffSession$WTSOpenServerA$WTSOpenServerExA$WTSOpenServerExW$WTSOpenServerW$WTSQueryListenerConfigA$WTSQueryListenerConfigW$WTSQuerySessionInformationA$WTSQuerySessionInformationW$WTSQueryUserConfigA$WTSQueryUserConfigW$WTSQueryUserToken$WTSRegisterSessionNotification$WTSRegisterSessionNotificationEx$WTSSendMessageA$WTSSendMessageW$WTSSetListenerSecurityA$WTSSetListenerSecurityW$WTSSetUserConfigA$WTSSetUserConfigW$WTSShutdownSystem$WTSStartRemoteControlSessionA$WTSStartRemoteControlSessionW$WTSStopRemoteControlSession$WTSTerminateProcess$WTSUnRegisterSessionNotification$WTSUnRegisterSessionNotificationEx$WTSVirtualChannelClose$WTSVirtualChannelOpen$WTSVirtualChannelOpenEx$WTSVirtualChannelPurgeInput$WTSVirtualChannelPurgeOutput$WTSVirtualChannelQuery$WTSVirtualChannelRead$WTSVirtualChannelWrite$WTSWaitSystemEvent$wtsapi32.dll
                            • API String ID: 2238633743-2998606599
                            • Opcode ID: 58f037b4dfcc0c0f6153050d52cb80cf1f43709ff7803f71061a8f5da0502f32
                            • Instruction ID: 889e04a529bee836fa364e9f33b3c2be857b4fef63ba590a49f0ca02da6b30e0
                            • Opcode Fuzzy Hash: 58f037b4dfcc0c0f6153050d52cb80cf1f43709ff7803f71061a8f5da0502f32
                            • Instruction Fuzzy Hash: 56B158B4D44315EBCB315F79AC4A8063EA3E7047783808917E9845E2BAE6BF8050FF91
                            Function 00DA14E3 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 194sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 700 da14e3-da14fb 701 da16dd 700->701 702 da1501-da1509 700->702 704 da16df-da16e3 701->704 702->701 703 da150f-da1523 freerdp_error_info 702->703 705 da1529-da152f 703->705 706 da16e4-da16f0 703->706 705->701 707 da1535-da153c 705->707 708 da16fe-da170a call dae9a3 706->708 709 da16f2-da16f9 call dae717 706->709 710 da154e-da155a call dae9a3 707->710 711 da153e-da1549 call dae717 707->711 718 da158e-da1595 708->718 719 da1710-da1736 call daed82 708->719 709->708 723 da1589 710->723 724 da155c-da1586 freerdp_get_error_info_string call daed82 710->724 711->710 718->701 725 da159b-da15a3 718->725 719->718 723->718 724->723 728 da15b3-da15ba 725->728 729 da15a5-da15ad 725->729 730 da15c8-da15d4 call dae9a3 728->730 731 da15bc-da15c3 call dae717 728->731 729->701 729->728 737 da1600-da1609 freerdp_reconnect 730->737 738 da15d6-da15fd call daed82 730->738 731->730 740 da173b-da173e 737->740 741 da160f-da161c freerdp_get_last_error 737->741 738->737 740->704 743 da166b 741->743 744 da161e-da1625 741->744 745 da166d-da1671 743->745 746 da1633-da163f call dae9a3 744->746 747 da1627-da162e call dae717 744->747 749 da167c-da1688 Sleep 745->749 750 da1673-da167a 745->750 755 da1641-da1664 call daed82 746->755 756 da1667 746->756 747->746 749->745 753 da168a-da168e 749->753 750->701 750->749 753->725 758 da1694-da169b 753->758 755->756 756->743 760 da16a9-da16b5 call dae9a3 758->760 761 da169d-da16a4 call dae717 758->761 760->701 767 da16b7-da16da call daed82 760->767 761->760 767->701
                            APIs
                            • freerdp_error_info.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA1519
                            • freerdp_get_error_info_string.GETSCREEN-156413884-X86(00000000,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA155D
                            • freerdp_reconnect.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA1601
                            • freerdp_get_last_error.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA1611
                            • Sleep.KERNEL32(0000000A,?,?,?,?,?,?,00DA14DF,?,00000000), ref: 00DA167E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Sleepfreerdp_error_infofreerdp_get_error_info_stringfreerdp_get_last_errorfreerdp_reconnect
                            • String ID: Attempting reconnect (%u of %u)$Autoreconnect aborted by user$C:\Project\agent-windows\freerdp\FreeRDP\client\common\client.c$Disconnected by server hitting a bug or resource limit [%s]$Maximum reconnect retries exceeded$Network disconnect!$client_auto_reconnect_ex$com.freerdp.client.common
                            • API String ID: 968149013-2963753137
                            • Opcode ID: 52e07c33af9fc13d6e074c0f836e5f8e7aea98aecd7a1dfff7b1998b3a5752e1
                            • Instruction ID: 1b780f5c1893d4df400537a90cfae4965274cec3d1a900c8f12ba80652d98e88
                            • Opcode Fuzzy Hash: 52e07c33af9fc13d6e074c0f836e5f8e7aea98aecd7a1dfff7b1998b3a5752e1
                            • Instruction Fuzzy Hash: 9751D776B4030577EB257B25EC43F7A27A8DF62B50F1C4029F610FA1D1EA76DA808674
                            Function 00D6A89E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 127COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • gdi_get_pixel_format.GETSCREEN-156413884-X86(?,?,?,?,?,00D6A899,?,?,00000000,00000000,Function_006DAA7A), ref: 00D6A8B3
                            • gdi_free.GETSCREEN-156413884-X86(?,?,?,?,?,00D6A899,?,?,00000000,00000000,Function_006DAA7A), ref: 00D6AA40
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: gdi_freegdi_get_pixel_format
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\gdi\gdi.c$com.freerdp.gdi$failed to initialize gdi$gdi_init_ex
                            • API String ID: 1251975138-534786182
                            • Opcode ID: 736e6e28bfab0f4d5ff8517606a17aaf4e9ac39a32e281fa7f1c25b6275a8a44
                            • Instruction ID: 048db22db05d0468b72fba943d9835b19abd880d5ce30f0cf61c222ec5a33d59
                            • Opcode Fuzzy Hash: 736e6e28bfab0f4d5ff8517606a17aaf4e9ac39a32e281fa7f1c25b6275a8a44
                            • Instruction Fuzzy Hash: 984172712007026FDB54AF68DC42B6AB7A5FF15310F18442AF598AB192EF71A851CF71
                            Function 00D30E1F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 141COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 826 d30e1f-d30e32 827 d30e82-d30e8f call d31585 826->827 828 d30e34-d30e3b 826->828 835 d30e91-d30e98 827->835 836 d30ee4-d30f8c call e029c0 RtlEnterCriticalSection RtlLeaveCriticalSection 827->836 830 d30e4d-d30e59 call dae9a3 828->830 831 d30e3d-d30e48 call dae717 828->831 841 d30fdf-d30fe2 830->841 842 d30e5f-d30e7d 830->842 831->830 839 d30eaa-d30eb6 call dae9a3 835->839 840 d30e9a-d30ea5 call dae717 835->840 854 d30ede 836->854 856 d30f92-d30f99 836->856 853 d30eb8-d30edb call daed82 839->853 839->854 840->839 847 d30ee0-d30ee3 841->847 848 d30fd7-d30fdc call daed82 842->848 848->841 853->854 854->847 858 d30fab-d30fb7 call dae9a3 856->858 859 d30f9b-d30fa6 call dae717 856->859 858->841 865 d30fb9-d30fd1 858->865 859->858 865->848
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00D30F64
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00D30F79
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID: ,$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load_ex
                            • API String ID: 3168844106-1571615648
                            • Opcode ID: e196fda8aa3df71ec429677dd426a63e709925eb21032b98280bf9f47e7f55da
                            • Instruction ID: 329d81fc3df4a899cedadc6a72d75e6cba0eb4365c05580b2ca61c68765f337e
                            • Opcode Fuzzy Hash: e196fda8aa3df71ec429677dd426a63e709925eb21032b98280bf9f47e7f55da
                            • Instruction Fuzzy Hash: 6741D571B4030AAFDB209F69EC42B597BE8EB09714F144429F654F72D0D7B5A9018BA4
                            Function 00DA6C86 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 337COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 909 da6c86-da6ca5 call e135f0 912 da6cdf-da6cef call e135f0 909->912 913 da6ca7-da6caa 909->913 922 da6da3-da6db3 call e135f0 912->922 923 da6cf5-da6cfa 912->923 914 da6d43 913->914 915 da6cb0-da6cc5 913->915 919 da6d45-da6d49 914->919 917 da6cca-da6cdd call da706d 915->917 918 da6cc7 915->918 917->919 918->917 930 da6db9-da6dbe 922->930 931 da6e3d-da6e4d call e135f0 922->931 923->914 926 da6cfc-da6d0b 923->926 928 da6d11-da6d20 call e05feb 926->928 929 da7066-da7068 926->929 928->914 937 da6d22-da6d3a call e05ff6 928->937 929->919 930->914 933 da6dc0-da6de0 call e05feb 930->933 941 da6faf-da6fbf call e135f0 931->941 942 da6e53-da6e58 931->942 933->914 943 da6de6-da6def 933->943 949 da6d4a-da6d4d 937->949 950 da6d3c-da6d3d call e05f15 937->950 941->914 956 da6fc5-da6fca 941->956 942->914 945 da6e5e-da6e7e call e05feb 942->945 947 da6e19-da6e26 freerdp_device_collection_add 943->947 948 da6df1-da6dfc call e13680 943->948 945->914 963 da6e84-da6e89 945->963 947->929 959 da6e2c-da6e32 call e05f15 947->959 969 da6dfe-da6e0f call e05ff6 948->969 970 da6e16 948->970 957 da6d4f-da6d60 call e05ff6 949->957 958 da6d73 949->958 962 da6d42 950->962 956->914 964 da6fd0-da6ff0 call e05feb 956->964 960 da6d75-da6d82 freerdp_device_collection_add 957->960 981 da6d62-da6d6a call e05f15 957->981 958->960 967 da6e37-da6e38 959->967 960->929 968 da6d88-da6da1 call e05f15 * 3 960->968 962->914 971 da6f5f-da6f62 963->971 972 da6e8f-da6ea5 call e05ff6 963->972 964->914 987 da6ff6-da6fff 964->987 975 da6d6b-da6d71 call e05f15 967->975 968->914 969->947 992 da6e11 969->992 970->947 979 da6f65-da6f78 freerdp_device_collection_add 971->979 972->950 993 da6eab-da6eae 972->993 975->962 979->929 986 da6f7e-da6faa call e05f15 * 5 979->986 981->975 986->914 995 da703d-da704d freerdp_device_collection_add 987->995 996 da7001-da7017 call e05ff6 987->996 992->950 993->971 1000 da6eb4-da6eca call e05ff6 993->1000 995->929 998 da704f-da7061 call e05f15 * 2 995->998 996->950 1008 da701d-da7020 996->1008 998->929 1012 da6ede-da6ee1 1000->1012 1013 da6ecc-da6ed9 call e05f15 1000->1013 1008->995 1015 da7022-da7033 call e05ff6 1008->1015 1012->971 1019 da6ee3-da6ef9 call e05ff6 1012->1019 1013->967 1015->995 1028 da7035 1015->1028 1030 da6efb-da6f12 call e05f15 * 2 1019->1030 1031 da6f18-da6f1b 1019->1031 1028->995 1030->1031 1031->979 1034 da6f1d-da6f2e call e05ff6 1031->1034 1034->979 1039 da6f30-da6f5a call e05f15 * 4 1034->1039 1039->914
                            APIs
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,?), ref: 00DA6D79
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,00000000), ref: 00DA6E1D
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,00000000), ref: 00DA6F6F
                            • freerdp_device_collection_add.GETSCREEN-156413884-X86(?,00000000), ref: 00DA7044
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_device_collection_add
                            • String ID: drive$parallel$printer$serial$smartcard
                            • API String ID: 2538329621-807955808
                            • Opcode ID: 8b8e51b5fc2b59d3695008d5171141d1fa826ae87ffdd48c750bd05bd26807b5
                            • Instruction ID: 4fdefb2aadd57d8e8ca45f8235a31c89f0d83400624acd8d5ba121443c7c77a2
                            • Opcode Fuzzy Hash: 8b8e51b5fc2b59d3695008d5171141d1fa826ae87ffdd48c750bd05bd26807b5
                            • Instruction Fuzzy Hash: 2DB1A036608602DBDF15AF18D84199E7BE1FF46350B188069F804AF292EF72DD919FA4
                            Function 00D30C4D Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 145COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1049 d30c4d-d30c61 1050 d30c63-d30c6a 1049->1050 1051 d30cb1-d30cbf call d3155c 1049->1051 1052 d30c7c-d30c88 call dae9a3 1050->1052 1053 d30c6c-d30c77 call dae717 1050->1053 1058 d30cc1-d30cc8 1051->1058 1059 d30d15-d30dc4 call e029c0 RtlEnterCriticalSection RtlLeaveCriticalSection 1051->1059 1064 d30e17-d30e1a 1052->1064 1065 d30c8e-d30cac 1052->1065 1053->1052 1062 d30cda-d30ce6 call dae9a3 1058->1062 1063 d30cca-d30cd5 call dae717 1058->1063 1077 d30d0e 1059->1077 1079 d30dca-d30dd1 1059->1079 1076 d30ce8-d30d0b call daed82 1062->1076 1062->1077 1063->1062 1069 d30d10-d30d14 1064->1069 1070 d30e0f-d30e14 call daed82 1065->1070 1070->1064 1076->1077 1077->1069 1081 d30de3-d30def call dae9a3 1079->1081 1082 d30dd3-d30dde call dae717 1079->1082 1081->1064 1088 d30df1-d30e09 1081->1088 1082->1081 1088->1070
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00D30D92
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00D30DB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load
                            • API String ID: 3168844106-4217659166
                            • Opcode ID: 51e591a06f08c591435b422d6e952d2ddc77b0e0d15d6984e73f578023353a9d
                            • Instruction ID: d2acf971fe50968f178ca803bba6dce10a18dfd0ca66655c62a2c63ab1213201
                            • Opcode Fuzzy Hash: 51e591a06f08c591435b422d6e952d2ddc77b0e0d15d6984e73f578023353a9d
                            • Instruction Fuzzy Hash: E751AF71A40305AFEB24DF65EC46B5A7BA8EB05714F144029F644BB2D1EBB4A900CB64
                            Function 00E358B8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 93COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1089 e358b8-e358c9 1090 e35933-e35957 audio_format_compatible 1089->1090 1091 e358cb-e358d2 1089->1091 1094 e35959-e3595b 1090->1094 1095 e3595d-e35964 1090->1095 1092 e358e4-e358f0 call dae9a3 1091->1092 1093 e358d4-e358df call dae717 1091->1093 1107 e358f6-e35931 audio_format_get_tag_string * 2 call daed82 1092->1107 1108 e359aa 1092->1108 1093->1092 1098 e359ac-e359af 1094->1098 1099 e35976-e35982 call dae9a3 1095->1099 1100 e35966-e35971 call dae717 1095->1100 1099->1108 1109 e35984-e359a7 call daed82 1099->1109 1100->1099 1107->1108 1108->1098 1109->1108
                            APIs
                            • audio_format_get_tag_string.GETSCREEN-156413884-X86(00000000,?,?,00E35425,?,?,?,?,00000000,?), ref: 00E358FA
                            • audio_format_get_tag_string.GETSCREEN-156413884-X86(00000001,00000000,?,?,00E35425,?,?,?,?,00000000,?), ref: 00E35902
                            • audio_format_compatible.GETSCREEN-156413884-X86(%T,?,?,?,?,00E35425,?,?,?,?,00000000,?), ref: 00E3594D
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: audio_format_get_tag_string$audio_format_compatible
                            • String ID: %T$%s requires %s for sample input, got %s$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\dsp.c$Missing resample support, recompile -DWITH_SOXR=ON or -DWITH_DSP_FFMPEG=ON$com.freerdp.dsp$freerdp_dsp_resample
                            • API String ID: 204136587-1473788660
                            • Opcode ID: 29c281bf8f68dacc1c6ecbc63b5716983a06f941abb9707eafc645fe31ac66ec
                            • Instruction ID: 1798c5e9b03cc595c653d2a1446ba90b8626bdce48c38534dee020eb9ed1cae7
                            • Opcode Fuzzy Hash: 29c281bf8f68dacc1c6ecbc63b5716983a06f941abb9707eafc645fe31ac66ec
                            • Instruction Fuzzy Hash: 8521AAB27443016AE7245B64AC47F6B3BDCDB5173CF10141AFA54FA1C1EDA1E840D67A
                            Function 00E33B76 Relevance: 15.1, APIs: 10, Instructions: 134COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1114 e33b76-e33b91 freerdp_settings_set_bool 1115 e33d20 1114->1115 1116 e33b97-e33b9e 1114->1116 1117 e33d22-e33d26 1115->1117 1116->1115 1118 e33ba4-e33ba8 1116->1118 1118->1115 1119 e33bae-e33bc1 freerdp_settings_set_string 1118->1119 1119->1115 1120 e33bc7-e33bcb 1119->1120 1121 e33bd2 1120->1121 1122 e33bcd-e33bd0 1120->1122 1123 e33bd5-e33be5 freerdp_settings_set_string 1121->1123 1122->1123 1123->1115 1124 e33beb-e33bef 1123->1124 1125 e33bf1-e33c04 freerdp_settings_set_string 1124->1125 1126 e33c0a-e33c1c freerdp_settings_set_string 1124->1126 1125->1115 1125->1126 1126->1115 1127 e33c22-e33c35 freerdp_settings_set_string 1126->1127 1127->1115 1128 e33c3b-e33c4e freerdp_settings_set_string 1127->1128 1128->1115 1129 e33c54-e33c58 1128->1129 1130 e33c70-e33c8c freerdp_settings_set_uint32 1129->1130 1131 e33c5a-e33c6a freerdp_settings_set_string 1129->1131 1130->1115 1132 e33c92-e33ca4 freerdp_target_net_addresses_free 1130->1132 1131->1115 1131->1130 1133 e33ca6-e33cd0 call e05feb * 2 1132->1133 1134 e33d1b-e33d1e 1132->1134 1133->1115 1139 e33cd2-e33cd4 1133->1139 1134->1117 1139->1115 1140 e33cd6-e33cde 1139->1140 1140->1134 1141 e33ce0-e33d10 call e05ff6 1140->1141 1141->1115 1144 e33d12-e33d19 1141->1144 1144->1134 1144->1141
                            APIs
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,00000400,00000001), ref: 00E33B87
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000401,00000000), ref: 00E33BB7
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000404,?), ref: 00E33BDB
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000402,00000000), ref: 00E33BFA
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000014,?), ref: 00E33C12
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,000006C1,?), ref: 00E33C2B
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000403,?), ref: 00E33C44
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000015,00000000), ref: 00E33C60
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(?,00000013,?), ref: 00E33C82
                            • freerdp_target_net_addresses_free.GETSCREEN-156413884-X86(?), ref: 00E33C93
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_string$freerdp_settings_set_boolfreerdp_settings_set_uint32freerdp_target_net_addresses_free
                            • String ID:
                            • API String ID: 949014189-0
                            • Opcode ID: 12f87a41451c66bc5c8156e90c5a793ed94ff3185f274a213cefdbc36b09d4f7
                            • Instruction ID: 3cc2f8fa1af4a78d03d4e5adae9df05d7f39a7578fcc74f9f9acc278b3b8a316
                            • Opcode Fuzzy Hash: 12f87a41451c66bc5c8156e90c5a793ed94ff3185f274a213cefdbc36b09d4f7
                            • Instruction Fuzzy Hash: C841D971600A06BBE7315F34EC4EF9A7B94FF04308F441024FA05E6591E776EA60CBA4
                            Function 00DE1612 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 220COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1168 de1612-de162a call e05feb 1171 de162c-de1633 1168->1171 1172 de167a-de168e call dae717 1168->1172 1173 de1645-de1651 call dae9a3 1171->1173 1174 de1635-de1640 call dae717 1171->1174 1181 de16ea-de1707 call db5cd5 1172->1181 1182 de1690-de169e call e05f15 1172->1182 1183 de18d8-de18da 1173->1183 1184 de1657-de1675 1173->1184 1174->1173 1194 de175a-de17aa 1181->1194 1195 de1709-de1717 call e05f15 1181->1195 1191 de16ac-de16b8 call dae9a3 1182->1191 1192 de16a0-de16a7 call dae717 1182->1192 1187 de18de-de18e2 1183->1187 1188 de18d0-de18d5 call daed82 1184->1188 1188->1183 1191->1183 1206 de16be-de16e5 call daed82 1191->1206 1192->1191 1199 de17ac-de17b5 1194->1199 1200 de17b6-de17db call e05feb 1194->1200 1208 de1719-de1720 call dae717 1195->1208 1209 de1725-de1731 call dae9a3 1195->1209 1199->1200 1213 de182e-de187f zgfx_context_new 1200->1213 1214 de17dd-de17eb call e05f15 1200->1214 1206->1183 1208->1209 1209->1183 1221 de1737-de1755 1209->1221 1217 de18dc 1213->1217 1218 de1881-de1896 call e05f15 * 2 1213->1218 1225 de17ed-de17f4 call dae717 1214->1225 1226 de17f9-de1805 call dae9a3 1214->1226 1217->1187 1234 de1898-de189f call dae717 1218->1234 1235 de18a4-de18b0 call dae9a3 1218->1235 1221->1188 1225->1226 1226->1183 1233 de180b-de1829 1226->1233 1233->1188 1234->1235 1235->1183 1240 de18b2-de18ca 1235->1240 1240->1188
                            APIs
                              • Part of subcall function 00DB5CD5: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,?,00DE1701,00000001), ref: 00DB5CF9
                            • zgfx_context_new.GETSCREEN-156413884-X86(00000000), ref: 00DE1874
                              • Part of subcall function 00E3693A: zgfx_context_reset.GETSCREEN-156413884-X86(00000000,00000000,00000000,?,00DE1879,00000000), ref: 00E36964
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpinzgfx_context_newzgfx_context_reset
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\channels\rdpgfx\client\rdpgfx_main.c$Failed to acquire reference to WLog %s$HashTable_New failed!$calloc failed!$com.freerdp.channels.rdpgfx.client$rdpgfx_client_context_new$zgfx_context_new failed!
                            • API String ID: 3732774510-3243565116
                            • Opcode ID: a9f86d6ee6c1bf7d75e60ac473ecaeef782e87272a9f5bf328b803e7f78dd39e
                            • Instruction ID: a7884d76c1402203b4a71a9339bf000f96533329993c787448c501b47fe49e02
                            • Opcode Fuzzy Hash: a9f86d6ee6c1bf7d75e60ac473ecaeef782e87272a9f5bf328b803e7f78dd39e
                            • Instruction Fuzzy Hash: 29711974784742BAD320AF26AC46B5677D8FB15B64F140129F544EB6C1DBB4E840CBB4
                            Function 00D6E4DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 138registrythreadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DB6B05: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,00000000,00000000,00000000,?,00D6E59B,00000001,00006060,00000010), ref: 00DB6B3E
                            • GetVersionExA.KERNEL32(?), ref: 00D6E5CD
                            • GetNativeSystemInfo.KERNEL32(?), ref: 00D6E5E7
                            • RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00D6E612
                            • primitives_get.GETSCREEN-156413884-X86 ref: 00D6E6DC
                            • CreateThreadpool.KERNEL32(00000000), ref: 00D6E6E2
                            Strings
                            • Software\FreeRDP\FreeRDP\RemoteFX, xrefs: 00D6E605
                            • com.freerdp.codec.rfx, xrefs: 00D6E530
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CountCreateCriticalInfoInitializeNativeOpenSectionSpinSystemThreadpoolVersionprimitives_get
                            • String ID: Software\FreeRDP\FreeRDP\RemoteFX$com.freerdp.codec.rfx
                            • API String ID: 3882483829-2530424157
                            • Opcode ID: d516d2f4fb4fb947890f0f34c17779c9cccf0d2fe72e074f2e386071ae2e7d95
                            • Instruction ID: 5c4e0ae59249631e6cc24edc33fd482fdee636d76ee8ea35f24eae6d19730bd6
                            • Opcode Fuzzy Hash: d516d2f4fb4fb947890f0f34c17779c9cccf0d2fe72e074f2e386071ae2e7d95
                            • Instruction Fuzzy Hash: 0041AEB5A0070AAFEB109FB5DC86B6AB7F8FF44704F10442DE549A6282EB74D9458F70
                            Function 00DAE889 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00DAE8B2
                            • GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00DAE8D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: %s environment variable modified in my back$BINARY$CONSOLE$FILE$UDP$WLOG_APPENDER
                            • API String ID: 1431749950-225596728
                            • Opcode ID: 59cd61ef45497802f9306aa52deaf7dfba3cea3ce77d0897025a33b3194e8a4c
                            • Instruction ID: ee82b75be1a7cbf690fccbfebfb7c04767cf7637468d7e82a100162d7369ee3d
                            • Opcode Fuzzy Hash: 59cd61ef45497802f9306aa52deaf7dfba3cea3ce77d0897025a33b3194e8a4c
                            • Instruction Fuzzy Hash: D521A13734835629E6647366AC8BE3B1B99CB93B74724043AF405F50C2EE55C891EDB2
                            Function 00D23971 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,?,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000015B), ref: 00D348D9
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,00000000,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000016A), ref: 00D3498F
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_set_last_error_ex
                            • String ID: %s missing context=%p$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c$ErrorInfo$com.freerdp.core.rdp$freerdp$rdp_set_error_info
                            • API String ID: 270715978-29603548
                            • Opcode ID: 6805e0f0f859e76f837a4a9d0c547b024f1cb982e7fd7b7dafe110a540c0051d
                            • Instruction ID: d3638f7f4958cd93d300bb98f490a1a99c7581fee34172c24aa3615508b6c4d9
                            • Opcode Fuzzy Hash: 6805e0f0f859e76f837a4a9d0c547b024f1cb982e7fd7b7dafe110a540c0051d
                            • Instruction Fuzzy Hash: D8210B72A40305BADB106F55DC03FAB7B6CDB51B14F184169FA047A2C5E6F8A640CEB5
                            Function 00DB4B0C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(secur32.dll,?,00DB4AEC), ref: 00DB4B18
                            • LoadLibraryA.KERNEL32(security.dll,?,00DB4AEC), ref: 00DB4B28
                            • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceW), ref: 00DB4B42
                            • GetProcAddress.KERNEL32(InitSecurityInterfaceA), ref: 00DB4B51
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: InitSecurityInterfaceA$InitSecurityInterfaceW$secur32.dll$security.dll
                            • API String ID: 2574300362-4081094439
                            • Opcode ID: 6dc9c195ef71b49740e96efa3b3d7dac41623b4274284e34f788f6e9c7118604
                            • Instruction ID: c6c5fb9d0c236541ea0d90f628031eaa7f36e9349fb369af3d771d2e5b6abcc1
                            • Opcode Fuzzy Hash: 6dc9c195ef71b49740e96efa3b3d7dac41623b4274284e34f788f6e9c7118604
                            • Instruction Fuzzy Hash: 9AF08976D54326D69732EBBABC00D967AE8AB84B543090263E940E3154E6B5D8019FB1
                            Function 00D642E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 181fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00D64320
                            • GetFileSize.KERNEL32(00000000,?), ref: 00D6433A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: File$CreateSize
                            • String ID: %s %hu %s %s %s
                            • API String ID: 2791376181-2916857029
                            • Opcode ID: d9df6ff7510dfcab3bf1b4de9475d128590aa922005345c4e6c5195d3a73e665
                            • Instruction ID: 237e39134405a733fd206d3881dc8a96382620f8a7c352e027a9d41c61ed9067
                            • Opcode Fuzzy Hash: d9df6ff7510dfcab3bf1b4de9475d128590aa922005345c4e6c5195d3a73e665
                            • Instruction Fuzzy Hash: 54514FB5A00215AFEB11ABB5EC45ABF77FCEF05720B14412AF911F6290EB3499408B74
                            Function 00D4501B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                            • ber_read_universal_tag.GETSCREEN-156413884-X86(?,00000002,00000000), ref: 00D4502A
                            • ber_read_length.GETSCREEN-156413884-X86(?,?), ref: 00D4503F
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ber_read_lengthber_read_universal_tag
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\crypto\ber.c$ber_read_integer$com.freerdp.crypto$should implement reading an 8 bytes integer$should implement reading an integer with length=%d
                            • API String ID: 3186670568-2454464461
                            • Opcode ID: ba375764ba7af731fbd1cde8059592c2cac3e763f6c2fd08624046a6823b2fc2
                            • Instruction ID: 4e51c84c7c1c4a5764acaec974826a5cb9dc166e84ddfb10d4ec214304261f3c
                            • Opcode Fuzzy Hash: ba375764ba7af731fbd1cde8059592c2cac3e763f6c2fd08624046a6823b2fc2
                            • Instruction Fuzzy Hash: 354147B1704B426BDB208F25EC82B2A37E5EB52720F184169F5999B2CFE675D900CB70
                            Function 00D89C5D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109COMMON
                            Download Yara Rule
                            APIs
                            • region16_rects.GETSCREEN-156413884-X86(?,?), ref: 00D89C6E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: region16_rects
                            • String ID: (%hu,%hu-%hu,%hu)$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\region.c$band %d: $com.freerdp.codec$nrects=%u$region16_print
                            • API String ID: 844131241-2640574824
                            • Opcode ID: a0621893c0bcdac7eb9a1e157bffbd7a1cc333f7abe26ecca077089619322ab3
                            • Instruction ID: d14cf10fe670c30fddff6f47bd896c1f8f0084ad19bf62500fb6d94763b53b0e
                            • Opcode Fuzzy Hash: a0621893c0bcdac7eb9a1e157bffbd7a1cc333f7abe26ecca077089619322ab3
                            • Instruction Fuzzy Hash: A231A472780306B9E6306B65AC53F76B3D8DB56B11F181015FA94F62D0FA97A9808374
                            Function 00D22BCF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D22C14
                            • clearChannelError.GETSCREEN-156413884-X86(?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D22C1B
                              • Part of subcall function 00D226E1: ResetEvent.KERNEL32(?), ref: 00D2270A
                              • Part of subcall function 00D38142: ResetEvent.KERNEL32(?,?,00D22C27,?,?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D3814E
                            Strings
                            • freerdp, xrefs: 00D23062
                            • ConnectionResult, xrefs: 00D23077
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00D22BFC
                            • freerdp_connect, xrefs: 00D22C01
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EventReset$ChannelErrorclearfreerdp_set_last_error_ex
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$ConnectionResult$freerdp$freerdp_connect
                            • API String ID: 3632380314-3564821047
                            • Opcode ID: 234f31b0c01cfaf9f1cda493291af777aadd0dae43b85d6ba32b240952c63d3a
                            • Instruction ID: 47f9ff579d0f6bd4f8c6551b647dceb0c06b388598284b870d4b857142b52a35
                            • Opcode Fuzzy Hash: 234f31b0c01cfaf9f1cda493291af777aadd0dae43b85d6ba32b240952c63d3a
                            • Instruction Fuzzy Hash: 79317E71600215AFEB10DF69E985BAAB7F4FF18304F180079F914E7291DB759A548B70
                            Function 00D453FD Relevance: 12.1, APIs: 8, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • ber_write_universal_tag.GETSCREEN-156413884-X86(?,00000002,00000000), ref: 00D45415
                            • ber_write_length.GETSCREEN-156413884-X86(?,00000001,?,00000002,00000000), ref: 00D4541D
                            • ber_write_universal_tag.GETSCREEN-156413884-X86(?,00000002,00000000), ref: 00D45440
                            • ber_write_length.GETSCREEN-156413884-X86(?,00000002,?,00000002,00000000), ref: 00D45448
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ber_write_lengthber_write_universal_tag
                            • String ID:
                            • API String ID: 1889070510-0
                            • Opcode ID: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
                            • Instruction ID: 2370a199a7cdf897bc0aefee0484073bb4ceb46cef0d095266aff33809bbaf7c
                            • Opcode Fuzzy Hash: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
                            • Instruction Fuzzy Hash: 1F21D731205F44EFDB125B08ED42B6A77A5EF11B01F058459FA8E1FA87C265AE41CBB1
                            Function 00D4CB5F Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • glyph_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CB79
                            • brush_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CB86
                            • pointer_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CB94
                            • bitmap_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBA2
                            • offscreen_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBB0
                            • palette_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBBE
                            • nine_grid_cache_new.GETSCREEN-156413884-X86(?), ref: 00D4CBCC
                            • cache_free.GETSCREEN-156413884-X86(00000000), ref: 00D4CBDE
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: bitmap_cache_newbrush_cache_newcache_freeglyph_cache_newnine_grid_cache_newoffscreen_cache_newpalette_cache_newpointer_cache_new
                            • String ID:
                            • API String ID: 2332728789-0
                            • Opcode ID: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
                            • Instruction ID: fff0f8e958aee5268df8f76507cf07d66487e8d42236f9fcc16d47005cc25ea2
                            • Opcode Fuzzy Hash: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
                            • Instruction Fuzzy Hash: E501803625AB075BE364AEB6A853D3B67E8CF42B70718543FE480E6981FF24D40186B1
                            Function 00D6EFD0 Relevance: 10.7, APIs: 7, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            • region16_init.GETSCREEN-156413884-X86(?), ref: 00D6F58A
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: region16_init
                            • String ID:
                            • API String ID: 4140821900-0
                            • Opcode ID: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
                            • Instruction ID: 305966164178dc0f8d3ba639d6ef2abdbb41c12daa4f928cff9ce80e3619b53f
                            • Opcode Fuzzy Hash: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
                            • Instruction Fuzzy Hash: A8517CB2D00219ABDF18EFA9D8819EEBBF9FF48304F14412AF559E7240E7359941CB60
                            Function 00D6AA9A Relevance: 10.6, APIs: 7, Instructions: 147windowCOMMON
                            Download Yara Rule
                            APIs
                            • gdi_CreateCompatibleDC.GETSCREEN-156413884-X86(?,00000000,?,?,?,00D6A9C7,00000000,?,?,?,?,?,?,?,?,00D6A899), ref: 00D6AAE7
                            • gdi_CreateCompatibleBitmap.GETSCREEN-156413884-X86(?,?,?,00000000,?,?,?,00D6A9C7,00000000,?,?,?,?), ref: 00D6AB0E
                            • gdi_CreateBitmapEx.GETSCREEN-156413884-X86(?,?,?,?,?,?,00000000,?,?,?,00D6A9C7,00000000,?,?,?,?), ref: 00D6AB2A
                            • gdi_SelectObject.GETSCREEN-156413884-X86(?,?), ref: 00D6AB60
                            • gdi_CreateRectRgn.GETSCREEN-156413884-X86(00000000,00000000,00000000,00000000), ref: 00D6ABA5
                            • gdi_DeleteObject.GETSCREEN-156413884-X86(?), ref: 00D6AC39
                            • gdi_DeleteDC.GETSCREEN-156413884-X86(?), ref: 00D6AC48
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: gdi_$Create$BitmapCompatibleDeleteObject$RectSelect
                            • String ID:
                            • API String ID: 412453062-0
                            • Opcode ID: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
                            • Instruction ID: fdf687e987cde5e3a753ed0a5395322451627d44377fe6879c6aa63682e1b8c5
                            • Opcode Fuzzy Hash: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
                            • Instruction Fuzzy Hash: 3B5106792007059FC725DF28C885EA6B7E1FF1C310B0945AEE98A8B762E771E841CF60
                            Function 00DBEA62 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,00000000,00000000,?,?,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?), ref: 00DBEABD
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,?,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?,?,00000000), ref: 00DBEAE7
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,00000000,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?,?,00000000), ref: 00DBEB14
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,?,?,?,?,00DB6939,?,?,?,?,00DB6A0A,?,?,00000000), ref: 00DBEB37
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WLOG_FILEAPPENDER_OUTPUT_FILE_NAME$WLOG_FILEAPPENDER_OUTPUT_FILE_PATH
                            • API String ID: 1431749950-2760771567
                            • Opcode ID: 3003672d8f8ac8353af05bb60af147140f761dca6eac61b0cf911b5a80fed5a2
                            • Instruction ID: 90133b353b5cf1063962a4ace7bdf70f69dd8727c235b759bd6964edd19ed087
                            • Opcode Fuzzy Hash: 3003672d8f8ac8353af05bb60af147140f761dca6eac61b0cf911b5a80fed5a2
                            • Instruction Fuzzy Hash: 5031D1B6A00A16FF87146FA69849DEFBFA8FF407643140018F403A3681DB709C519AF9
                            Function 007A8EE0 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(00FE1278,Function_00068C90,007A8EC0,00000000), ref: 007A8F0A
                            • GetLastError.KERNEL32 ref: 007A8F38
                            • TlsGetValue.KERNEL32 ref: 007A8F46
                            • SetLastError.KERNEL32(00000000), ref: 007A8F4F
                            • RtlAcquireSRWLockExclusive.NTDLL(00FE1284), ref: 007A8F61
                            • RtlReleaseSRWLockExclusive.NTDLL(00FE1284), ref: 007A8F73
                            • TlsSetValue.KERNEL32(00000000,?,?,00000000,0078B080), ref: 007A8FB5
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
                            • String ID:
                            • API String ID: 389898287-0
                            • Opcode ID: d82df07462a115ee3f0cc6b4226ffbe6275affee18ae113974017ee9efc692e2
                            • Instruction ID: e2a4279d735c18e1b95dfaebc6676b0b4821ef0f2c36977a78e068d3e474efea
                            • Opcode Fuzzy Hash: d82df07462a115ee3f0cc6b4226ffbe6275affee18ae113974017ee9efc692e2
                            • Instruction Fuzzy Hash: 3C21F6B570020AAFD7405FA6EC49BAE3BA5FB47701F000120FE15E62D0EB759919DBA2
                            Function 00DBF61C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(00000002,00000002,00000011), ref: 00DBF673
                            • GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00DB6921,?,?,?,?,00DB6A0A,?,?,00000000,?,00DAE976,00000000), ref: 00DBF68A
                            • GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00DB6921,?,?,?,?,00DB6A0A,?,?,00000000,?,00DAE976,00000000), ref: 00DBF6AB
                            • closesocket.WS2_32(?), ref: 00DBF6E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable$closesocketsocket
                            • String ID: 127.0.0.1:20000$WLOG_UDP_TARGET
                            • API String ID: 65193492-3368084233
                            • Opcode ID: 1eb5259095c9f59c9b1c2d168aadc1d36cd4503f6d79c8977cb25e4217055946
                            • Instruction ID: ce4c73165f8e39fe9115eda3647c98a578ad6a325e3d0917779317582e933391
                            • Opcode Fuzzy Hash: 1eb5259095c9f59c9b1c2d168aadc1d36cd4503f6d79c8977cb25e4217055946
                            • Instruction Fuzzy Hash: 97219F76644B02EFD3305F669C09B977BE4EF41714F24042DF543AAAE1DBB1E4418B64
                            Function 00DC001B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(winsta.dll,?,00DB78D9,01067120), ref: 00DC0023
                            • GetProcAddress.KERNEL32(00000000,WinStationVirtualOpen), ref: 00DC003C
                            • GetProcAddress.KERNEL32(WinStationVirtualOpenEx), ref: 00DC0052
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WinStationVirtualOpen$WinStationVirtualOpenEx$winsta.dll
                            • API String ID: 2238633743-2382846951
                            • Opcode ID: bca72f749f963809c03aaa0275ada407960eddc3121bd1f100a8fb5f62a59976
                            • Instruction ID: a8fd1ac4370bff82f7a7cb31ba5c699696b6b56c3ffe79f8a697d2f120e9f33e
                            • Opcode Fuzzy Hash: bca72f749f963809c03aaa0275ada407960eddc3121bd1f100a8fb5f62a59976
                            • Instruction Fuzzy Hash: 770125B0A41742CFD7009FB1A80DF623EE4BB05794F0A40BDE489EB362DBB58044AF64
                            Function 00D4CB11 Relevance: 10.5, APIs: 7, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • glyph_cache_free.GETSCREEN-156413884-X86(?), ref: 00D4CB1E
                            • brush_cache_free.GETSCREEN-156413884-X86(?,?), ref: 00D4CB26
                            • pointer_cache_free.GETSCREEN-156413884-X86(?,?,?), ref: 00D4CB2E
                            • bitmap_cache_free.GETSCREEN-156413884-X86(?,?,?,?), ref: 00D4CB36
                            • offscreen_cache_free.GETSCREEN-156413884-X86(?,?,?,?,?), ref: 00D4CB3E
                            • palette_cache_free.GETSCREEN-156413884-X86(?,?,?,?,?,?), ref: 00D4CB46
                            • nine_grid_cache_free.GETSCREEN-156413884-X86(?,?,?,?,?,?,?), ref: 00D4CB4E
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: bitmap_cache_freebrush_cache_freeglyph_cache_freenine_grid_cache_freeoffscreen_cache_freepalette_cache_freepointer_cache_free
                            • String ID:
                            • API String ID: 637575458-0
                            • Opcode ID: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
                            • Instruction ID: 7d2ad1be38f40f5d9100628832ae03b041193a76f72864a167362ba3ee387bbb
                            • Opcode Fuzzy Hash: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
                            • Instruction Fuzzy Hash: 71E01231411A14ABCA323F61DC03C5ABBAAEF117617445929F49625473CB22AC60AEB5
                            Function 00D8DFDE Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            • gdi_CRgnToRect.GETSCREEN-156413884-X86(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00D8E040
                            • gdi_RgnToRect.GETSCREEN-156413884-X86(?,?,?,?,?), ref: 00D8E04F
                            • gdi_CRgnToRect.GETSCREEN-156413884-X86(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00D8E062
                            • gdi_RgnToRect.GETSCREEN-156413884-X86(?,?,?,?,?), ref: 00D8E0A3
                            • gdi_CRgnToRect.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,?,?), ref: 00D8E0C8
                            • gdi_RectToCRgn.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D8E147
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Rectgdi_
                            • String ID:
                            • API String ID: 2404991910-0
                            • Opcode ID: 65c5216e4ca2f334d45f2cd06848fd1547205e4cfa29124a99895a26d202aa1a
                            • Instruction ID: 59c4b9f716e6fafceaa9a279b9c9673c2ddaf35ae519084c4ba5e651d87cacde
                            • Opcode Fuzzy Hash: 65c5216e4ca2f334d45f2cd06848fd1547205e4cfa29124a99895a26d202aa1a
                            • Instruction Fuzzy Hash: 0C51C072E01219EFCF14EF99C8858EEBBB9FF48710B14842AE515A7250D771AA41CFB0
                            Function 00D61D8F Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_set_uint32.GETSCREEN-156413884-X86(?,000007C0,?), ref: 00D61DA2
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C8,00000001), ref: 00D61DCC
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C8,00000000), ref: 00D61DE8
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C9,00000000), ref: 00D61DFC
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C8,00000000), ref: 00D61E19
                            • freerdp_settings_set_bool.GETSCREEN-156413884-X86(?,000007C9,00000000), ref: 00D61E2D
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_bool$freerdp_settings_set_uint32
                            • String ID:
                            • API String ID: 4272850885-0
                            • Opcode ID: 3ea0a0162d7e9506aea58fcc0c8a3655e8c344f224c799a42870156a752d33d1
                            • Instruction ID: feb49c3982a8684006756a8fdfe54064ca500717821cece9542d44e8f719cad9
                            • Opcode Fuzzy Hash: 3ea0a0162d7e9506aea58fcc0c8a3655e8c344f224c799a42870156a752d33d1
                            • Instruction Fuzzy Hash: 7A11D66EF8920277F96020654C82F6F129C8F62B59F5C0025FE08E51C3EA96EE0088F6
                            Function 00D88AF6 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_image_copy.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,08008000,00000000,00000000,00000000,?,00000001,?,?), ref: 00D88C2B
                            Strings
                            • freerdp_image_copy_from_icon_data, xrefs: 00D88DBA
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00D88DBF
                            • 1bpp and 4bpp icons are not supported, xrefs: 00D88DB5
                            • com.freerdp.color, xrefs: 00D88D98
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_image_copy
                            • String ID: 1bpp and 4bpp icons are not supported$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$com.freerdp.color$freerdp_image_copy_from_icon_data
                            • API String ID: 1523062921-332027372
                            • Opcode ID: f47f52faf731e1e0bcd6cd1c87dcbd4d30f769a5dc7a7d2c0dd584dfc727d97b
                            • Instruction ID: 34ea53ca85ac2f1719ac225b7316df33585b6dcfc5fcce39badb4d22dfae884b
                            • Opcode Fuzzy Hash: f47f52faf731e1e0bcd6cd1c87dcbd4d30f769a5dc7a7d2c0dd584dfc727d97b
                            • Instruction Fuzzy Hash: 0851B5B1A0021DAEDF24AF15CD41BFA77A8EF14300F4881A9FE14A2191D7719E81DF74
                            Function 00DA8423 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: kbd-lang-list$kbd-list$monitor-list
                            • API String ID: 0-1393584692
                            • Opcode ID: 4fd9e4ee0ffaca3aed8f3a2ee95e57f5b96aa7382adc5e00e085069b725a13b7
                            • Instruction ID: 6e075998fd72a7b786a2918271cbd35609f93a4e6f0503c882ee7d8e1406be28
                            • Opcode Fuzzy Hash: 4fd9e4ee0ffaca3aed8f3a2ee95e57f5b96aa7382adc5e00e085069b725a13b7
                            • Instruction Fuzzy Hash: 9431A732901218ABDB20EB68DD46DDBB7ECEB05310F0841A5FD18A71D2DA70DE40EAF1
                            Function 00D79962 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON
                            Download Yara Rule
                            Strings
                            • com.freerdp.codec, xrefs: 00D79AD0
                            • interleaved_compress: width (%u) or height (%u) is greater than 64, xrefs: 00D79AF0
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c, xrefs: 00D79AFA
                            • interleaved_compress, xrefs: 00D79AF5
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c$com.freerdp.codec$interleaved_compress$interleaved_compress: width (%u) or height (%u) is greater than 64
                            • API String ID: 0-4054760794
                            • Opcode ID: d85437afc43ce44ab5132420aab3533f95c215e4be3900ba6292be4bf386adf8
                            • Instruction ID: b9cf6b2ac3b1e1ba26c8d4c733676cf33304a4dcd19a13ac3aa60de0457c31dc
                            • Opcode Fuzzy Hash: d85437afc43ce44ab5132420aab3533f95c215e4be3900ba6292be4bf386adf8
                            • Instruction Fuzzy Hash: E521C273341209BFEF255E56DC96FAB7B68EB05754F088119FA08661A0F672EC50CB70
                            Function 00DAE492 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3CC8
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextW
                            • API String ID: 689400697-743139187
                            • Opcode ID: b3b805675f9222908816f167d5fb7b1162adb8a8f0cdaea20a55787a871de2c8
                            • Instruction ID: c61b74a6778c36063c0bb2a1ffa8d1edb47d65641b055684fbe2395195ff3fc3
                            • Opcode Fuzzy Hash: b3b805675f9222908816f167d5fb7b1162adb8a8f0cdaea20a55787a871de2c8
                            • Instruction Fuzzy Hash: C221A536280244FBEF225E96DC02EEB3F69EB55B54F040154FA04660E1DA62DA60FBB1
                            Function 00DAE489 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3DA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextA
                            • API String ID: 689400697-1744466472
                            • Opcode ID: 2eea3a3e51f6079cc079a12b7f81ffe647e431201094f2e9324180b18d59b907
                            • Instruction ID: 0db3efcb9d8d3e86031f11ffc3e329e15d9f953f7646301bfee65671ced8692d
                            • Opcode Fuzzy Hash: 2eea3a3e51f6079cc079a12b7f81ffe647e431201094f2e9324180b18d59b907
                            • Instruction Fuzzy Hash: C421C336240204FBEF225E96EC02EEB3F69EB45B54F040154FA44650E1D672DA21FB70
                            Function 00DAE413 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3227
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcquireCredentialsHandleW: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleW
                            • API String ID: 689400697-2657764935
                            • Opcode ID: 3608575d8dcd4481cd5f3055395dec5de9a26248fa144b46edfc1a51ccdbaf8e
                            • Instruction ID: fdcda2abf87abb33374589a7c2a86917b64a7dd425e847e6d722d69d0728af92
                            • Opcode Fuzzy Hash: 3608575d8dcd4481cd5f3055395dec5de9a26248fa144b46edfc1a51ccdbaf8e
                            • Instruction Fuzzy Hash: 3A11E432684305FBEF221E56EC07EAB3B69EB55B14F040094FA01A50E1D572DA20F7B5
                            Function 00DAE40A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB32F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcquireCredentialsHandleA: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleA
                            • API String ID: 689400697-1172745827
                            • Opcode ID: ee8330f766247ef7580ab77b56b9b2ac2045816d24b17fa03d64e72467238a28
                            • Instruction ID: 10bf43b068e49bd497b97c3fcc99fe516e99f4f27280dc1cfd64e8af1dd408c8
                            • Opcode Fuzzy Hash: ee8330f766247ef7580ab77b56b9b2ac2045816d24b17fa03d64e72467238a28
                            • Instruction Fuzzy Hash: 3611A536344205FBEF222E569C06EAB3FA9EB45B54F040054FA04651E1DA62D920F7B1
                            Function 00DAE401 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB384E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcceptSecurityContext: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcceptSecurityContext
                            • API String ID: 689400697-2008077614
                            • Opcode ID: ccefbb1fe2f2e385423ef8aa5d2334f9ed660c910b16205ec69a1fc16b740488
                            • Instruction ID: 99fe409885ad976f5129006e109f3b164fdba013604cc5fdb1efff9062ed6bc5
                            • Opcode Fuzzy Hash: ccefbb1fe2f2e385423ef8aa5d2334f9ed660c910b16205ec69a1fc16b740488
                            • Instruction Fuzzy Hash: 6311D636240204FBEF225E56EC07EAB3F69EB55B54F040055FA00A51E1D966CA21FBB1
                            Function 00DAE4FE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB4544
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$VerifySignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_VerifySignature
                            • API String ID: 689400697-1495805676
                            • Opcode ID: 307cbb9edf8a4ebff92783441eab19cdcaf0d103a63b8c2a8886c8410c94a2fc
                            • Instruction ID: 98b3351dc559f1c5d86aee85d2f7a1c82c6d7f02ad04834b08163a97289a2162
                            • Opcode Fuzzy Hash: 307cbb9edf8a4ebff92783441eab19cdcaf0d103a63b8c2a8886c8410c94a2fc
                            • Instruction Fuzzy Hash: CC11E775384704BBEA31AA56EC07FA73BACDB51B50F040054FA01A61E2D9A2CD10E775
                            Function 00DAE4F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB40BB
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesW
                            • API String ID: 689400697-247170817
                            • Opcode ID: 8fbfbfd4e0a825d081d4a12aba37a5dfaa4f6f380db60e38efc816a182c25d0a
                            • Instruction ID: cb79550c6f617bfaa4b7ce11790babc97080b350c82d278fcca72b1439d18cd1
                            • Opcode Fuzzy Hash: 8fbfbfd4e0a825d081d4a12aba37a5dfaa4f6f380db60e38efc816a182c25d0a
                            • Instruction Fuzzy Hash: 98110A36784305FBEA22AA5AEC03EAB3F6CEB91B60F044054F941A60D2D966CD50E771
                            Function 00DAE4EC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB417E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesA
                            • API String ID: 689400697-1164902870
                            • Opcode ID: bea88b7b22939bf934497e077808359eb8e6a2e0534cb70cd60e5d03e430364e
                            • Instruction ID: a8904db56472dead351d7abe508bd6a5f4a1bfb2fc1115e403d61f3f2f8bcc4f
                            • Opcode Fuzzy Hash: bea88b7b22939bf934497e077808359eb8e6a2e0534cb70cd60e5d03e430364e
                            • Instruction Fuzzy Hash: 32110D39784305FBEA31AA56EC03E673F6CDB51B60F040054F901A50D3D962CA50E771
                            Function 00DAE49B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB4481
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$MakeSignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_MakeSignature
                            • API String ID: 689400697-3834539683
                            • Opcode ID: 8fff4197dd1dac2a00c8d5ad8cbb4b930f8cb7b9d9af8445e52f2d71828b2080
                            • Instruction ID: 9c96ad772089bde2f9169dc48410110a3975094eacd190773c5293c4526f8a76
                            • Opcode Fuzzy Hash: 8fff4197dd1dac2a00c8d5ad8cbb4b930f8cb7b9d9af8445e52f2d71828b2080
                            • Instruction Fuzzy Hash: F111E775380304FBEA316A56AC03FAB3B6CDB81B60F044054FA01A65E3D9A2CD20E771
                            Function 00DAE452 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB33CB
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ExportSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ExportSecurityContext
                            • API String ID: 689400697-3640258815
                            • Opcode ID: 080f00bc6b52f8b4c90e95ccc08b55ec7e2501dc662a57880aaafce68d5d65f2
                            • Instruction ID: 4f57cd32bab2273443919f188ac44c2e473d00e22c2901cb0347818e3de2850a
                            • Opcode Fuzzy Hash: 080f00bc6b52f8b4c90e95ccc08b55ec7e2501dc662a57880aaafce68d5d65f2
                            • Instruction Fuzzy Hash: 4111E735384304FAEB221A56EC07FA73B6CEB91B54F040064FA41A70E1D962DA10F771
                            Function 00DAE476 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3548
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextW
                            • API String ID: 689400697-3257054040
                            • Opcode ID: deb4a1c2086ca34d2869eebd00ccf5e504d8730b312efbf1b265f6d338d2c72d
                            • Instruction ID: 64977588999548d6247546f1d7fe72f77c10104e888ea0dbd4ce5c53f87dddd8
                            • Opcode Fuzzy Hash: deb4a1c2086ca34d2869eebd00ccf5e504d8730b312efbf1b265f6d338d2c72d
                            • Instruction Fuzzy Hash: 77119435384305BAEA315E56EC07FA73BADEB51B54F040054FA01A61D1E9A2DA10F775
                            Function 00DAE46D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB360B
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextA
                            • API String ID: 689400697-848437295
                            • Opcode ID: 633087edfde2f68bb47261b14267e125a5daf245b454dbb2927d5e57ae45b585
                            • Instruction ID: d7a1cdd970deefc0b9ba524ce1c3a78a833dc5445281ec20ed0ccf819f42b62e
                            • Opcode Fuzzy Hash: 633087edfde2f68bb47261b14267e125a5daf245b454dbb2927d5e57ae45b585
                            • Instruction Fuzzy Hash: 73110A35380304FAEB325A56EC07FAB3B6CDB51B64F040054F941A61E1D9A2DA11F7B5
                            Function 00D81A7D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • ncrush_context_reset.GETSCREEN-156413884-X86(00000000,00000000), ref: 00D81B36
                            Strings
                            • com.freerdp.codec, xrefs: 00D81AF1
                            • ncrush_context_new, xrefs: 00D81B14
                            • ncrush_context_new: failed to initialize tables, xrefs: 00D81B0F
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c, xrefs: 00D81B19
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ncrush_context_reset
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c$com.freerdp.codec$ncrush_context_new$ncrush_context_new: failed to initialize tables
                            • API String ID: 2838332675-904927664
                            • Opcode ID: 5beb58443ae4acf6553ade6ffe48762b4b104013af54215ae2096fca8978c0e7
                            • Instruction ID: 92ea939e86af608edb07a1b05139b89813acb907b2eb101fa3b390d080ead838
                            • Opcode Fuzzy Hash: 5beb58443ae4acf6553ade6ffe48762b4b104013af54215ae2096fca8978c0e7
                            • Instruction Fuzzy Hash: C01108723007067AE314BB15AC42FA7B7DCEB41754F20411DF608A66C1EBB2A951CBB0
                            Function 00DAE4BF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB36CE
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesW
                            • API String ID: 689400697-3413647607
                            • Opcode ID: e1f6dbac7b1aecb37c71ce92d399cd3bf0e4fa6a14009dd2e1820232b963d726
                            • Instruction ID: 13d2b840c005fe16bd761178484a735cc88847a3272b82e0f65e5ccd2380754b
                            • Opcode Fuzzy Hash: e1f6dbac7b1aecb37c71ce92d399cd3bf0e4fa6a14009dd2e1820232b963d726
                            • Instruction Fuzzy Hash: 9E11E9B5384340FBEB215A56EC07FA73BACEB92B54F040094F941AA1E1DDA2DA11F771
                            Function 00DAE4B6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB378E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesA
                            • API String ID: 689400697-3754301720
                            • Opcode ID: f8d11526cb3e0c97667efc20a61aa2108bb6d5ed5f4ab4bd00d595dca7856f30
                            • Instruction ID: c806a74fe92bc68c6fdc9ab5d333bd96d2b614cf75e6c15e968bcfe6459788ff
                            • Opcode Fuzzy Hash: f8d11526cb3e0c97667efc20a61aa2108bb6d5ed5f4ab4bd00d595dca7856f30
                            • Instruction Fuzzy Hash: DA110A75380341FAEA211756EC07EA73B6CEB51B54F0400A4F940A61D1DD62DA11F7B1
                            Function 00DAE4AD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3E7E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesW
                            • API String ID: 689400697-2578917824
                            • Opcode ID: 38f2a77e898e7e163c11fdc0bfcc9f65d14a511f9a656ed72ba8f386fba3ff76
                            • Instruction ID: 10bcb6ab69531a0aca6f23e91eebb113bf73fc2f975c91fca904e8748798339a
                            • Opcode Fuzzy Hash: 38f2a77e898e7e163c11fdc0bfcc9f65d14a511f9a656ed72ba8f386fba3ff76
                            • Instruction Fuzzy Hash: BB110636384300FBEA325A56EC03FAB3B6CEB95F64F040155F901A60D1D962DA11F771
                            Function 00DAE4A4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3F3E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesA
                            • API String ID: 689400697-3211427146
                            • Opcode ID: b1dc4295e170f856977553b8e1e652cf5c0624be3037165d26d98fe6798714de
                            • Instruction ID: d7056a98cee6e8cbd47c9d80d97d890a5378d7e7efe5ff176d0a28d55d5a0a86
                            • Opcode Fuzzy Hash: b1dc4295e170f856977553b8e1e652cf5c0624be3037165d26d98fe6798714de
                            • Instruction Fuzzy Hash: EB11C135784301FAEA226A56EC03EBB3F6DEB95B60F040094F940A60D1D9B2DA10A771
                            Function 00DAE4DA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB30AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoW
                            • API String ID: 689400697-2261828479
                            • Opcode ID: 479954bcacd58462f064905597a1cf0662988a32b5ebacc39d15cd97721b4f16
                            • Instruction ID: 29b1fd94e8362ca86afcf5ca7f755991f49405afd8851eb643728b2e683139ba
                            • Opcode Fuzzy Hash: 479954bcacd58462f064905597a1cf0662988a32b5ebacc39d15cd97721b4f16
                            • Instruction Fuzzy Hash: 3011E535388301BAEA31665AEC07FA73BACDB92F64F040094F905A61D1D9A2DA10F7B1
                            Function 00DAE4D1 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB316A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoA
                            • API String ID: 689400697-3351603741
                            • Opcode ID: 3fdb74aa583da4b10fa1f679e6d3788faae2f47ce1203347492f9f2a37764dc1
                            • Instruction ID: d61e4e64d0efc07c5fd5e13082f808007015ab2ba8af43fcf7caf4042f5f9962
                            • Opcode Fuzzy Hash: 3fdb74aa583da4b10fa1f679e6d3788faae2f47ce1203347492f9f2a37764dc1
                            • Instruction Fuzzy Hash: 4711E935784305BAEA31265AEC07FA73F6CDB92B50F0400A4F941A61D2DAA2DA10F7B1
                            Function 00DAE4C8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3FFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityContextToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityContextToken
                            • API String ID: 689400697-2156878011
                            • Opcode ID: a4ff2916a27b452caa9e82b9a34f3abf3892de5e0ce0fb46b0075721acc985c1
                            • Instruction ID: 5c3d553feabd92e531ca834255a982a26fcb479e8932d6c676dc6d6db17decf7
                            • Opcode Fuzzy Hash: a4ff2916a27b452caa9e82b9a34f3abf3892de5e0ce0fb46b0075721acc985c1
                            • Instruction Fuzzy Hash: 75110C39384305FBE631B656EC07F673B6CDB91B64F040054F645A60D2D9A2D910E7B5
                            Function 00DAE449 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB2F33
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesW
                            • API String ID: 689400697-255015424
                            • Opcode ID: c7434e5d4cd3d8e42e0a2f4f77ac716c28d993c0389cc0c4fb20377075966082
                            • Instruction ID: 5d03a45bc6d7432c2bb7df8efd4d2650badde5cfccf72cb24ac055a3a49876af
                            • Opcode Fuzzy Hash: c7434e5d4cd3d8e42e0a2f4f77ac716c28d993c0389cc0c4fb20377075966082
                            • Instruction Fuzzy Hash: 4011C636788305BAEA216657EC07FB73F6CDF95B60F040094F905A60E1D962D910E7B1
                            Function 00DAE440 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB2FF0
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesA
                            • API String ID: 689400697-1149382491
                            • Opcode ID: ef5b085fc55fbc7905c4695608fa6360fce87cddd9d7b3805d02c5c29cec0183
                            • Instruction ID: b5564198682657a00847c51bdac65331266f4ba04c0c0c793ac9b02a34d6acc2
                            • Opcode Fuzzy Hash: ef5b085fc55fbc7905c4695608fa6360fce87cddd9d7b3805d02c5c29cec0183
                            • Instruction Fuzzy Hash: C311C635784340BAE7312A5AEC07EAB3B6CDF92B64F0400D4F904A60D1D9A2DE10F7B1
                            Function 00DAE41C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3920
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: ApplyControlToken: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_ApplyControlToken
                            • API String ID: 689400697-2845897268
                            • Opcode ID: 686be234af18e3545d6e883262fb2a6769b4cbb9d40d24f308dc26010e85b475
                            • Instruction ID: 21c72281ed06f16267e44013f8c90a35e8c5a5158f0ded67f7d1824354aa7ff3
                            • Opcode Fuzzy Hash: 686be234af18e3545d6e883262fb2a6769b4cbb9d40d24f308dc26010e85b475
                            • Instruction Fuzzy Hash: AD11E935384300FBEE21265AEC07EA73F6CDB91BA4F040168F540A60D1D9A2CE10FBB5
                            Function 00DAE425 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB39DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$CompleteAuthToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_CompleteAuthToken
                            • API String ID: 689400697-1972714555
                            • Opcode ID: 02e07b05f845aaddfe4f1da853e31e7959541ef7989d2cd1f2d1e2a11ca649c4
                            • Instruction ID: 4aa0f167b85b42ca8ff6b14526edbca7b413c4a4e50f33d463af29e609189d2b
                            • Opcode Fuzzy Hash: 02e07b05f845aaddfe4f1da853e31e7959541ef7989d2cd1f2d1e2a11ca649c4
                            • Instruction Fuzzy Hash: 29118635384301FBEA216656EC07E673B6CDB91F54F140164F541A61D1D9A2DA10F6B1
                            Function 00D8954D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_image_copy.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00D895B5
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00D895F0
                            • com.freerdp.color, xrefs: 00D895C8
                            • SmartScaling requested but compiled without libcairo support!, xrefs: 00D895E6
                            • freerdp_image_scale, xrefs: 00D895EB
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_image_copy
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$SmartScaling requested but compiled without libcairo support!$com.freerdp.color$freerdp_image_scale
                            • API String ID: 1523062921-212429655
                            • Opcode ID: 7670fec4113b2f21ce419415567660a2b9db773eb64ea27869a9fbb05041631b
                            • Instruction ID: 34f3b93c13310a42f0bb55862021cc83e53feddc6b80ddd4d5050efdda4ab531
                            • Opcode Fuzzy Hash: 7670fec4113b2f21ce419415567660a2b9db773eb64ea27869a9fbb05041631b
                            • Instruction Fuzzy Hash: 6021D67224020DBBDF15AF14DC12FBE3BA9EB14700F485105FD04A61A0E372E951DF60
                            Function 00DAE4E3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB4241
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$RevertSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_RevertSecurityContext
                            • API String ID: 689400697-954186549
                            • Opcode ID: bfa845a104817d139d4c298e76ab31afdcbcdfc91bf428712e5623bfed8f384b
                            • Instruction ID: 74c60c9320d5f8ff0b8a1f62143b0aea4e7ceda483665ebc893f2b28e7659466
                            • Opcode Fuzzy Hash: bfa845a104817d139d4c298e76ab31afdcbcdfc91bf428712e5623bfed8f384b
                            • Instruction Fuzzy Hash: 3E11C275384300BAEA216656BC07FA73B5CDB91B64F0400A5F900A60D2D9A2DA10F6B9
                            Function 00DAE45B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3B54
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeContextBuffer: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeContextBuffer
                            • API String ID: 689400697-1791514552
                            • Opcode ID: 5c63f8e7fcc6626b28fe669cc521de06139d53c88114aee292fa02794c0f3f99
                            • Instruction ID: 44c1f1793e30786f5d6c551bd1b94906e2b077dec11e737fb184aaaadc32a0fb
                            • Opcode Fuzzy Hash: 5c63f8e7fcc6626b28fe669cc521de06139d53c88114aee292fa02794c0f3f99
                            • Instruction Fuzzy Hash: 8711A535384301BBEA212656EC07EA73B5CDB92B54F0400A4F941AA1D1EDA2DA10B7B9
                            Function 00DAE464 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3C0E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImpersonateSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImpersonateSecurityContext
                            • API String ID: 689400697-4242683877
                            • Opcode ID: 871fc2bbcf2c46159d6b0661d6b2b5a7a44a5fe97f004d292dc4e7985ec164f0
                            • Instruction ID: 431a5f2e896169f4d81a2cf06e9a7c7cdcb26d05f3dafb39bb01086e9fd13225
                            • Opcode Fuzzy Hash: 871fc2bbcf2c46159d6b0661d6b2b5a7a44a5fe97f004d292dc4e7985ec164f0
                            • Instruction Fuzzy Hash: D611C835384300FBE6212656EC07FA73F5CDB92F50F0401A4F941A61E2D992DB11F6B5
                            Function 00DAE510 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB348E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeCredentialsHandle: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeCredentialsHandle
                            • API String ID: 689400697-3116451197
                            • Opcode ID: 1409ef787062f5453defe90b9ba9f8e1a566c10a8ac02463e99c8e07e4509588
                            • Instruction ID: 3b941353c5ec6e0560fe93aa40b6b9c04dfcf444844c52fe4f49971b83152074
                            • Opcode Fuzzy Hash: 1409ef787062f5453defe90b9ba9f8e1a566c10a8ac02463e99c8e07e4509588
                            • Instruction Fuzzy Hash: 01110835384301FAEA322626EC07F673B9CDB92B54F0440A4F545A60D1D992DE50F6B5
                            Function 00DAE507 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010670C8,00DB4AA1,00000000,00000000), ref: 00DB3A9A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DeleteSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DeleteSecurityContext
                            • API String ID: 689400697-4185332897
                            • Opcode ID: 42d94eeae4b5b9a598ea7349f333e4a0021de697c8b6a4960d89686d9679c88a
                            • Instruction ID: 1efd685cf09d506ea53561d1de4bdd83493ca27a540bc868c24e2d4f69ed7731
                            • Opcode Fuzzy Hash: 42d94eeae4b5b9a598ea7349f333e4a0021de697c8b6a4960d89686d9679c88a
                            • Instruction Fuzzy Hash: 0511E535784300FAE632665AEC07FA73B5CDB92B54F040168F944E60E1D992DA11B6B5
                            Function 00E365C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • primitives_get.GETSCREEN-156413884-X86 ref: 00E365CB
                            Strings
                            • com.freerdp.codec, xrefs: 00E3660B
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c, xrefs: 00E36633
                            • yuv_process_work_callback, xrefs: 00E3662E
                            • error when decoding lines, xrefs: 00E36629
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: primitives_get
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c$com.freerdp.codec$error when decoding lines$yuv_process_work_callback
                            • API String ID: 2017034601-2620645302
                            • Opcode ID: 5f235f30597290e64c0b663bf6157f4d58c2ee7ca260f72bdd303ace9b5944de
                            • Instruction ID: 0658d8e2b553374ff7192685a6f3cd1725393b054ec1ee39a915d34824c9b826
                            • Opcode Fuzzy Hash: 5f235f30597290e64c0b663bf6157f4d58c2ee7ca260f72bdd303ace9b5944de
                            • Instruction Fuzzy Hash: CB0196B1600306BFDB14DF64DC02F5A7BA8FF06718F004159F904EA281EAB5E940CBB5
                            Function 00D89EF7 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                            Download Yara Rule
                            APIs
                            • region16_extents.GETSCREEN-156413884-X86(?), ref: 00D89F06
                            • region16_extents.GETSCREEN-156413884-X86(?,?), ref: 00D89F12
                            • region16_n_rects.GETSCREEN-156413884-X86(?,?,?), ref: 00D89F1D
                            • region16_n_rects.GETSCREEN-156413884-X86(?), ref: 00D89F7D
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: region16_extentsregion16_n_rects
                            • String ID:
                            • API String ID: 2062899502-0
                            • Opcode ID: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
                            • Instruction ID: 0117f150602412b3be55513778fe053282ae775071e97130aba6e26abd5f369b
                            • Opcode Fuzzy Hash: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
                            • Instruction Fuzzy Hash: 87512875A0022AABCB14DF99C8408BEF7F5FF18310B15816AE859E7250E335AE40CBB4
                            Function 007A8E40 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(00FE1278,007A8C90,007A8EC0,00000000), ref: 007A8E6A
                            • GetLastError.KERNEL32 ref: 007A8E7F
                            • TlsGetValue.KERNEL32 ref: 007A8E8D
                            • SetLastError.KERNEL32(00000000), ref: 007A8E96
                            • TlsAlloc.KERNEL32 ref: 007A8EC3
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorLastOnce$AllocExecuteInitValue
                            • String ID:
                            • API String ID: 2822033501-0
                            • Opcode ID: db51f4c6e5405456cf08b14f38c2e0a05b43aaba6587951bfd86496e2d2758e3
                            • Instruction ID: df1ea4469e373195183c178e20251ef794ba4659a3b25d75efd74e0968f767a5
                            • Opcode Fuzzy Hash: db51f4c6e5405456cf08b14f38c2e0a05b43aaba6587951bfd86496e2d2758e3
                            • Instruction Fuzzy Hash: 6301C87960020C9FCB009FB6EC49B6E77B8FB46B11B404225F915E7290EB3099088B61
                            Function 00E349E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_print.GETSCREEN-156413884-X86(?,?,?), ref: 00E34A72
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: audio_format_print
                            • String ID: AUDIO_FORMATS (%hu) ={$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_formats_print
                            • API String ID: 2744001552-3527835062
                            • Opcode ID: 190b4eed6e8eb1bfef3c354a6c4be8922e1d4cc71d4c945d923ffda63c261f84
                            • Instruction ID: b78a942341c6e3ef25444726e57ef43ec42734cb83659480e3f1fbda42139c21
                            • Opcode Fuzzy Hash: 190b4eed6e8eb1bfef3c354a6c4be8922e1d4cc71d4c945d923ffda63c261f84
                            • Instruction Fuzzy Hash: 9511B4B228031536DB11AE155C46FAF2F9CDF63B64F040015FD14B21C2F6A1E601D2BB
                            Function 00D311D7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • getChannelError.GETSCREEN-156413884-X86(?), ref: 00D31248
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ChannelError
                            • String ID: ($ChannelDetached$freerdp
                            • API String ID: 1163697128-436519898
                            • Opcode ID: d41152332e34c1132b17fc4ebc57e4b237890b6d19fcfe298640a9fb059c40de
                            • Instruction ID: fc80bfe549b8597e74f5623f85120fd146f05f3c631305c3a6c06a9ddc4a1d40
                            • Opcode Fuzzy Hash: d41152332e34c1132b17fc4ebc57e4b237890b6d19fcfe298640a9fb059c40de
                            • Instruction Fuzzy Hash: 7C212C75A00209EFDB10DF98C885FAEBBF9FF08344F144469E944EB251D770AA549BA0
                            Function 00D30B41 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • getChannelError.GETSCREEN-156413884-X86(?), ref: 00D30BB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ChannelError
                            • String ID: ($ChannelAttached$freerdp
                            • API String ID: 1163697128-2646891115
                            • Opcode ID: 068b98a21e688adcc1a7a8ef4bb56f7f67ea8c15b542e4d7e67dc6f7d4de20b9
                            • Instruction ID: f91ad36d8a6de8015f64d295c82b2d5ed3997809a739205efbd6b358ca96a36e
                            • Opcode Fuzzy Hash: 068b98a21e688adcc1a7a8ef4bb56f7f67ea8c15b542e4d7e67dc6f7d4de20b9
                            • Instruction Fuzzy Hash: 82210C71A00209EFDF14DF98C885FAEBBF9FF08344F1445A9E944A7252D771AA509BA0
                            Function 00DA783A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: audin$rdpsnd
                            • API String ID: 0-930729200
                            • Opcode ID: 6f8f7c70f85235a5e8cfa22d1d5172d6193b23b90d8a430442da5d604fd0f399
                            • Instruction ID: f8d5fcc491c9a5b0804bee04886522f5f4ebedceeef8fc4138f87d240f1a78ee
                            • Opcode Fuzzy Hash: 6f8f7c70f85235a5e8cfa22d1d5172d6193b23b90d8a430442da5d604fd0f399
                            • Instruction Fuzzy Hash: 8D116071A09E16ABDB24CF34CC806AAF3A4FB06B41F19422AE45853140D730A990CBF2
                            Function 00E34701 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_get_tag_string.GETSCREEN-156413884-X86(?,?,?,?,?,?,?,?), ref: 00E34737
                            Strings
                            • audio_format_print, xrefs: 00E34743
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c, xrefs: 00E34748
                            • %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu, xrefs: 00E3473E
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: audio_format_get_tag_string
                            • String ID: %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_format_print
                            • API String ID: 2866491501-3564663344
                            • Opcode ID: c52e0dd6431addf09f15b8af9c1846588221c8247c802d37eaa2d35c0adcb67b
                            • Instruction ID: c2d6e60e98c7b835152735da8c56021c325244e8a3b4f5dbb22e345a41e2b73d
                            • Opcode Fuzzy Hash: c52e0dd6431addf09f15b8af9c1846588221c8247c802d37eaa2d35c0adcb67b
                            • Instruction Fuzzy Hash: 00F030B6140308BADB411F51CC02E763B6DEB49B14F248089FD5C9C1D2E677D9A2E775
                            Function 00D22713 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_get_last_error.GETSCREEN-156413884-X86(?), ref: 00D22725
                            • freerdp_set_last_error_ex.GETSCREEN-156413884-X86(?,0002000B,freerdp_abort_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,0000013A), ref: 00D22745
                            Strings
                            • freerdp_abort_connect, xrefs: 00D22739
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00D22734
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_get_last_errorfreerdp_set_last_error_ex
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$freerdp_abort_connect
                            • API String ID: 3690923134-629580617
                            • Opcode ID: 8b84df513927c2faf32e9f7b4c90c45f57ed35bad4788dd2aa2a229fc031dfbd
                            • Instruction ID: 77cffd4ec60be4181f7003ad927b34deaf9b401c806ea308a7082c46035d468c
                            • Opcode Fuzzy Hash: 8b84df513927c2faf32e9f7b4c90c45f57ed35bad4788dd2aa2a229fc031dfbd
                            • Instruction Fuzzy Hash: 89E0D831244334FADA312D10FC02B65F794DF20B98F180425B9C476091E6625A52D5B0
                            Function 00E3632D Relevance: 6.2, APIs: 4, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            • primitives_get.GETSCREEN-156413884-X86 ref: 00E3633F
                            • primitives_flags.GETSCREEN-156413884-X86(00000000), ref: 00E36353
                            • TpWaitForWork.NTDLL(00000000,00000000), ref: 00E364A9
                            • TpReleaseWork.NTDLL(00000000), ref: 00E364B2
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: Work$ReleaseWaitprimitives_flagsprimitives_get
                            • String ID:
                            • API String ID: 704174238-0
                            • Opcode ID: 770e272acda34966134cf913e7d735ec8a6edee504f15f3f9643633075e34d19
                            • Instruction ID: 2b7fc61857ff02761cc6b341b4245fba17855e57bcc136ed75aeafbd03bf2853
                            • Opcode Fuzzy Hash: 770e272acda34966134cf913e7d735ec8a6edee504f15f3f9643633075e34d19
                            • Instruction Fuzzy Hash: 706129B5A0060AEFCB04CF68C985AAEBBF5FF48310B14856AE815E7350D734E951CF90
                            Function 00D8C297 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            • gdi_SetRgn.GETSCREEN-156413884-X86(?,?,?,?,00000000,00000001,?,?), ref: 00D8C324
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: gdi_
                            • String ID:
                            • API String ID: 2273374161-0
                            • Opcode ID: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
                            • Instruction ID: 865086a72daf1fc43b38fa515c4be89aa5b458284a2074a5c771625b1c1c0e67
                            • Opcode Fuzzy Hash: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
                            • Instruction Fuzzy Hash: F131B5B1910209EFCB10EF99C9859AEBBF9FF48310F14806AE915E7211D335EA45CBB0
                            Function 00DB5C02 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00DB5C16
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00DB5C34
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00DB5C54
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00DB5C9A
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CriticalSection$Leave$Enter
                            • String ID:
                            • API String ID: 2978645861-0
                            • Opcode ID: 2051ef1a389456390ea4a02a62146902d93c7182408f966d18c8a74e2836429c
                            • Instruction ID: e38ed5523884334c0f83bde73e0370e7a495f8a60b77feac70ee047c77d25a78
                            • Opcode Fuzzy Hash: 2051ef1a389456390ea4a02a62146902d93c7182408f966d18c8a74e2836429c
                            • Instruction Fuzzy Hash: FD21AF75200B05EFDB208F15E980BA97BF5FB45321F144469F883A7294E770AD82CB60
                            Function 00E0B6E0 Relevance: 6.1, APIs: 4, Instructions: 66threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E1F42C: GetLastError.KERNEL32(00000000,?,00E05FDD,00E1F0E3,?,?,00DAF77A,0000000C,?,?,?,?,00D227D2,?,?,?), ref: 00E1F581
                              • Part of subcall function 00E1F42C: SetLastError.KERNEL32(00000000,00000006), ref: 00E1F623
                            • CloseHandle.KERNEL32(?,?,?,00E0B817,?,?,00E0B689,00000000), ref: 00E0B711
                            • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00E0B817,?,?,00E0B689,00000000), ref: 00E0B727
                            • RtlExitUserThread.NTDLL(?,?,?,00E0B817,?,?,00E0B689,00000000), ref: 00E0B730
                            • GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 00E0B76E
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorExitHandleLastThread$CloseFreeLibraryModuleUser
                            • String ID:
                            • API String ID: 1062721995-0
                            • Opcode ID: 5fdca9eb63c1685f58f9aeef6c9b09c5ed7425e20f72609187b24c96ae3ccb29
                            • Instruction ID: ba0cb5e9fc13dfc67c326608319cbcd06c7e4502fe827571840ed75a7e2226d9
                            • Opcode Fuzzy Hash: 5fdca9eb63c1685f58f9aeef6c9b09c5ed7425e20f72609187b24c96ae3ccb29
                            • Instruction Fuzzy Hash: E311E9B5500204AFC7209F66DC09E9A7BE8EFC0764F185226F925E72D0DB70DD85C690
                            Function 00D89BBD Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • region16_rects.GETSCREEN-156413884-X86(?,00000000), ref: 00D89BDC
                            • region16_extents.GETSCREEN-156413884-X86(?), ref: 00D89BEC
                            • rectangles_intersects.GETSCREEN-156413884-X86(00000000,?), ref: 00D89BF7
                              • Part of subcall function 00D897FD: rectangles_intersection.GETSCREEN-156413884-X86(?,?,?), ref: 00D8980C
                            • rectangles_intersects.GETSCREEN-156413884-X86(00000000,?), ref: 00D89C1A
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: rectangles_intersects$rectangles_intersectionregion16_extentsregion16_rects
                            • String ID:
                            • API String ID: 3854534691-0
                            • Opcode ID: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
                            • Instruction ID: 0575a324d9b2fa8be085287289a6ccd6c0cf7cd34b7bd0c6f810b4baa4b384e3
                            • Opcode Fuzzy Hash: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
                            • Instruction Fuzzy Hash: 02018833114219599B14BA95D8A167BE3DCDB40B65F1C401AFCD996040EB36EC41E3B4
                            Function 00DA1F3D Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_new.GETSCREEN-156413884-X86 ref: 00DA1F56
                            • freerdp_context_new.GETSCREEN-156413884-X86(00000000,00000000,?,?), ref: 00DA1FA4
                            • freerdp_register_addin_provider.GETSCREEN-156413884-X86(?,00000000), ref: 00DA1FC7
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_context_newfreerdp_newfreerdp_register_addin_provider
                            • String ID:
                            • API String ID: 3731710698-0
                            • Opcode ID: 14ef670117846f8193ecc85148fcc9ed3a6c0848a3febb97312ddb2eef9b83d7
                            • Instruction ID: e591f37dd9937fec0c38606d067f006661a19f183e342d3829314738e0e16862
                            • Opcode Fuzzy Hash: 14ef670117846f8193ecc85148fcc9ed3a6c0848a3febb97312ddb2eef9b83d7
                            • Instruction Fuzzy Hash: 41119E36604B126FC725AB66D801B96B7E9FF56324F14041DF85887281EB70E890CAB0
                            Function 00D36AF2 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_free.GETSCREEN-156413884-X86(00000000), ref: 00D37326
                              • Part of subcall function 00D37F9B: GetComputerNameExA.KERNEL32(00000000,?,?,00000000), ref: 00D37FCC
                              • Part of subcall function 00D37F9B: freerdp_settings_set_string.GETSCREEN-156413884-X86(?,00000680,?), ref: 00D37FFC
                            • freerdp_settings_set_string.GETSCREEN-156413884-X86(00000000,00000086,?), ref: 00D36D8C
                            Strings
                            • C:\Windows\System32\mstscax.dll, xrefs: 00D36F3F
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_string$ComputerNamefreerdp_settings_free
                            • String ID: C:\Windows\System32\mstscax.dll
                            • API String ID: 2334115954-183970058
                            • Opcode ID: e41935eb0da15cc3e54599b8196f18d55dcb7c3f5d736c93c7abc9bde74f5c42
                            • Instruction ID: 86ab1a1b4ba1dff6552174a4c942266a7e98b54b4ac349927e52d19ead6dd3b1
                            • Opcode Fuzzy Hash: e41935eb0da15cc3e54599b8196f18d55dcb7c3f5d736c93c7abc9bde74f5c42
                            • Instruction Fuzzy Hash: 68E1C6B1505F009EE324DF38D885B97BBE4FF08311F50992EE5AE87391D7B5A5808B58
                            Function 00DB68CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,?,00DB6A0A,?,?,00000000,?,00DAE976,00000000), ref: 00DB697B
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpin
                            • String ID: %s: unknown handler type %u$WLog_Appender_New
                            • API String ID: 2593887523-3466059274
                            • Opcode ID: edd1ce3d46c7b373a171b8ea6b81a68c115e6608419e51f733cad571ce48b65e
                            • Instruction ID: c5110ca0ada2ce926ef0bf8d43e1cd3b6f421ce4bc4164a16208b23e8d0b8fb4
                            • Opcode Fuzzy Hash: edd1ce3d46c7b373a171b8ea6b81a68c115e6608419e51f733cad571ce48b65e
                            • Instruction Fuzzy Hash: DF112536108301E68E323A799C4ADFF6B68DB42F30B180019F547A6192DE3CE8016D72
                            Function 00D23FD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s%s-client.%s$DeviceServiceEntry
                            • API String ID: 0-2733899524
                            • Opcode ID: f68c266c4dd2b2394af1b6ed1559e91e23b900a608bc5b1345aeada2deb7c655
                            • Instruction ID: f7a36ce2ae6b223a27ec4c6182b0829b2dbd0397efc93a064b9640213c867174
                            • Opcode Fuzzy Hash: f68c266c4dd2b2394af1b6ed1559e91e23b900a608bc5b1345aeada2deb7c655
                            • Instruction Fuzzy Hash: 2011C872A003256BDB119F99D981AAF7BACDF50754F0C4019FD10D7241D770CE5187B0
                            Function 00D64029 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00D64060
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D64076
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: File$CreatePointer
                            • String ID: %s %hu %s %s %s
                            • API String ID: 2024441833-2916857029
                            • Opcode ID: 33480d54ee1fc694bfc67d7ce4117a60aca3bc79cb853f8b12fd1bf61899e848
                            • Instruction ID: b490dff442f3aeb5440e35ec35a8f1f2b186badf70c9bdda6671abf84705406f
                            • Opcode Fuzzy Hash: 33480d54ee1fc694bfc67d7ce4117a60aca3bc79cb853f8b12fd1bf61899e848
                            • Instruction Fuzzy Hash: A901D635201220BBDB212B66EC4EFA77F2DEF46774F248154FA1D990E2D722C856D6B0
                            Function 00DAEBD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,00000000,?,00DAE987), ref: 00DAEBF6
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,?,?,00DAE987), ref: 00DAEC1A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WLOG_FILTER
                            • API String ID: 1431749950-2006202657
                            • Opcode ID: 458f06d61edcd92abaca9b17d233fc8720e29832aa7c3d845260fbe50cc2a8f6
                            • Instruction ID: 7f01110f6393b80d2f5ee6e9a5a862490ca5927c4fb9701740dd86147845830d
                            • Opcode Fuzzy Hash: 458f06d61edcd92abaca9b17d233fc8720e29832aa7c3d845260fbe50cc2a8f6
                            • Instruction Fuzzy Hash: 39F0963331421A2E96202766BC49D1B7FADDAD67B9350002AF409D7191EB6E4C52C6B5
                            Function 00DB4BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00DB4AE3), ref: 00DB4BCC
                            • GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00DB4AE3), ref: 00DB4BEC
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WINPR_NATIVE_SSPI
                            • API String ID: 1431749950-1020623567
                            • Opcode ID: 52c70321bb8f1da4d248887a55b12b8895842b9544df9fdbae6e96a473e5800b
                            • Instruction ID: 8645578d329a741f9e3308693758075d967ba0ddc93bf59bc947d978e4183e4b
                            • Opcode Fuzzy Hash: 52c70321bb8f1da4d248887a55b12b8895842b9544df9fdbae6e96a473e5800b
                            • Instruction Fuzzy Hash: 22F0823B75A6326AD625626A6C05FBB4E65CB82F21B291119F502E30C3CA44984365F6
                            Function 00D7A2AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • rfx_context_new.GETSCREEN-156413884-X86(?), ref: 00D7A2ED
                              • Part of subcall function 00D6E4DD: GetVersionExA.KERNEL32(?), ref: 00D6E5CD
                              • Part of subcall function 00D6E4DD: GetNativeSystemInfo.KERNEL32(?), ref: 00D6E5E7
                              • Part of subcall function 00D6E4DD: RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00D6E612
                            • progressive_context_free.GETSCREEN-156413884-X86(00000000), ref: 00D7A36D
                            Strings
                            • com.freerdp.codec.progressive, xrefs: 00D7A2CA
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: InfoNativeOpenSystemVersionprogressive_context_freerfx_context_new
                            • String ID: com.freerdp.codec.progressive
                            • API String ID: 2699998398-3622116780
                            • Opcode ID: e80f1ca7b0b9a3f536b6ae6a096d8657c092011a7513b15a642b448b699064a0
                            • Instruction ID: 38825a15cd94c9ba1e78fd72761be04ef39e501aa24b79336810cbcbf51792ba
                            • Opcode Fuzzy Hash: e80f1ca7b0b9a3f536b6ae6a096d8657c092011a7513b15a642b448b699064a0
                            • Instruction Fuzzy Hash: 63F08936A057025AE2247BB99802F5F7BD8DF82B70F28402EF54DA65C2FA709441C676
                            Function 00D61ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_get_key_for_name.GETSCREEN-156413884-X86(?), ref: 00D61EEF
                            • freerdp_settings_get_type_for_key.GETSCREEN-156413884-X86(00000000), ref: 00D61F51
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: freerdp_settings_get_key_for_namefreerdp_settings_get_type_for_key
                            • String ID: TRUE
                            • API String ID: 1888880752-3412697401
                            • Opcode ID: 9bb1714707bed91c75a052e2304897d19b04baa083934ea9be81d208935aae6f
                            • Instruction ID: b59e18c45f76e8cb7834602dbca05ee10fd7ab38f0e2da75da32075b9a8c48f1
                            • Opcode Fuzzy Hash: 9bb1714707bed91c75a052e2304897d19b04baa083934ea9be81d208935aae6f
                            • Instruction Fuzzy Hash: 56E02B373043287BDA115A9ADC82D9F735CEF46F75B0D006AF504A7242EB70D94045B0
                            Function 00DB717D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,00DB7163), ref: 00DB7190
                            • GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,?,00DB7163), ref: 00DB71B1
                              • Part of subcall function 00DB7310: LoadLibraryA.KERNEL32(?,?,00DB71C4,00000000,?,?,00DB7163), ref: 00DB7316
                              • Part of subcall function 00DB7310: GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00DB732B
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: EnvironmentVariable$AddressLibraryLoadProc
                            • String ID: WTSAPI_LIBRARY
                            • API String ID: 3590464466-1122459656
                            • Opcode ID: 8c51b60b2ad8229ce6d97111c13b738956319c6998f5e9c4498dbe3aa3c1c7ca
                            • Instruction ID: ebb701fc6179a25c96baba2534b81a498419048c04fef450f2c414f7084b9228
                            • Opcode Fuzzy Hash: 8c51b60b2ad8229ce6d97111c13b738956319c6998f5e9c4498dbe3aa3c1c7ca
                            • Instruction Fuzzy Hash: 4BE09B3620D713AFD231226DBC0AFDF1B55DBC3BA5F241119F402AA1C5AF54584295B6
                            Function 00DB7310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?,?,00DB71C4,00000000,?,?,00DB7163), ref: 00DB7316
                            • GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00DB732B
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: InitWtsApi
                            • API String ID: 2574300362-3428673357
                            • Opcode ID: b7cef5466d7c6a348d9e61d2ae311140cd5e13b7d601afb1794d727de40a3ad3
                            • Instruction ID: 8b2d8612ac34271469e120eacf3ed32b65b090a5f906fd2829dfd24e13e10197
                            • Opcode Fuzzy Hash: b7cef5466d7c6a348d9e61d2ae311140cd5e13b7d601afb1794d727de40a3ad3
                            • Instruction Fuzzy Hash: BCD0C271708605DF8B00AFF6AC065123BDC9740F447040432E819C6190EB71C410A660
                            Function 00E1F42C Relevance: 5.2, APIs: 4, Instructions: 154COMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,00E0B650,00F60388,0000000C), ref: 00E1F430
                            • SetLastError.KERNEL32(00000000), ref: 00E1F4D2
                            • GetLastError.KERNEL32(00000000,?,00E05FDD,00E1F0E3,?,?,00DAF77A,0000000C,?,?,?,?,00D227D2,?,?,?), ref: 00E1F581
                            • SetLastError.KERNEL32(00000000,00000006), ref: 00E1F623
                              • Part of subcall function 00E1F066: HeapFree.KERNEL32(00000000,00000000,?,00E05F2D,?,?,?,00DAFA9A,?,?,?,?,?,00D2293F,?,?), ref: 00E1F07C
                              • Part of subcall function 00E1F066: GetLastError.KERNEL32(?,?,00E05F2D,?,?,?,00DAFA9A,?,?,?,?,?,00D2293F,?,?), ref: 00E1F087
                            Memory Dump Source
                            • Source File: 00000002.00000002.20747505100.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true
                            • Associated: 00000002.00000002.20746770713.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000EC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000F8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001261000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001C63000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20747505100.0000000001E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000002.00000002.20757583013.0000000001E93000.00000004.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_740000_getscreen-156413884-x86.jbxd
                            Similarity
                            • API ID: ErrorLast$FreeHeap
                            • String ID:
                            • API String ID: 3197834085-0
                            • Opcode ID: 22509804bd682f8eaec2dfd37bf25b93d88e407174ee69ad06ce04db4bb828ff
                            • Instruction ID: d95a92f3901c124252cfcc67b2bccb2aaae44694cdde177fabd28b3c56474311
                            • Opcode Fuzzy Hash: 22509804bd682f8eaec2dfd37bf25b93d88e407174ee69ad06ce04db4bb828ff
                            • Instruction Fuzzy Hash: 59412B7661A3216ED6103B78BC86EEB3289AF15378B112370F634F61E1DB248ED291D1

                            Execution Graph

                            Execution Coverage:0.6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:196
                            Total number of Limit Nodes:7
                            execution_graph 13565 e5b6e0 13567 e5b6eb 13565->13567 13566 e5b72d RtlExitUserThread 13579 e6f717 13566->13579 13567->13566 13570 e5b717 13567->13570 13573 e5b710 CloseHandle 13567->13573 13569 e5b748 13584 e6f066 13569->13584 13570->13566 13576 e5b723 FreeLibraryAndExitThread 13570->13576 13572 e5b755 13574 e5b75c GetModuleHandleExW 13572->13574 13575 e5b779 13572->13575 13573->13570 13574->13575 13588 e5b6a9 13575->13588 13576->13566 13582 e6f724 13579->13582 13580 e6f74f RtlAllocateHeap 13581 e6f762 13580->13581 13580->13582 13581->13569 13582->13580 13582->13581 13596 e6bfcd 13582->13596 13585 e6f071 HeapFree 13584->13585 13587 e6f093 13584->13587 13586 e6f086 GetLastError 13585->13586 13585->13587 13586->13587 13587->13572 13589 e5b6b5 13588->13589 13595 e5b6d9 13588->13595 13590 e5b6c4 13589->13590 13591 e5b6bb CloseHandle 13589->13591 13592 e5b6d3 13590->13592 13593 e5b6ca FreeLibrary 13590->13593 13591->13590 13594 e6f066 2 API calls 13592->13594 13593->13592 13594->13595 13599 e6bff9 13596->13599 13600 e6c005 13599->13600 13605 e5f2a5 RtlEnterCriticalSection 13600->13605 13602 e6c010 13606 e6c047 13602->13606 13605->13602 13609 e5f2ed RtlLeaveCriticalSection 13606->13609 13608 e6bfd8 13608->13582 13609->13608 13610 e5b62b 13611 e5b637 13610->13611 13612 e5b63e GetLastError RtlExitUserThread 13611->13612 13613 e5b64b 13611->13613 13612->13613 13616 e6f42c GetLastError 13613->13616 13615 e5b650 13617 e6f442 13616->13617 13619 e6f717 3 API calls 13617->13619 13627 e6f44c SetLastError 13617->13627 13621 e6f479 13619->13621 13620 e6f4dc 13620->13615 13623 e6f481 13621->13623 13624 e6f4b9 13621->13624 13622 e6f4e1 13631 e6f717 3 API calls 13622->13631 13632 e6f4fe 13622->13632 13625 e6f066 2 API calls 13623->13625 13643 e6f25a 13624->13643 13625->13627 13627->13620 13627->13622 13629 e6f503 13629->13615 13630 e6f066 2 API calls 13630->13627 13634 e6f522 13631->13634 13632->13629 13633 e6f57d GetLastError 13632->13633 13635 e6f593 13633->13635 13636 e6f55e 13634->13636 13637 e6f52a 13634->13637 13639 e6f622 SetLastError 13635->13639 13638 e6f25a 4 API calls 13636->13638 13640 e6f066 2 API calls 13637->13640 13641 e6f569 13638->13641 13639->13615 13640->13632 13642 e6f066 2 API calls 13641->13642 13642->13629 13648 e6f0ee 13643->13648 13649 e6f0fa 13648->13649 13662 e5f2a5 RtlEnterCriticalSection 13649->13662 13651 e6f104 13663 e6f134 13651->13663 13654 e6f200 13655 e6f20c 13654->13655 13667 e5f2a5 RtlEnterCriticalSection 13655->13667 13657 e6f216 13668 e6f3e1 13657->13668 13659 e6f22e 13672 e6f24e 13659->13672 13662->13651 13666 e5f2ed RtlLeaveCriticalSection 13663->13666 13665 e6f122 13665->13654 13666->13665 13667->13657 13669 e6f3f0 13668->13669 13671 e6f417 13668->13671 13669->13671 13675 e7bdf2 13669->13675 13671->13659 13789 e5f2ed RtlLeaveCriticalSection 13672->13789 13674 e6f23c 13674->13630 13677 e7be72 13675->13677 13678 e7be08 13675->13678 13680 e6f066 2 API calls 13677->13680 13701 e7bec0 13677->13701 13678->13677 13684 e7be3b 13678->13684 13686 e6f066 2 API calls 13678->13686 13679 e7bece 13690 e7bf2e 13679->13690 13697 e6f066 HeapFree GetLastError 13679->13697 13681 e7be94 13680->13681 13682 e6f066 2 API calls 13681->13682 13683 e7bea7 13682->13683 13687 e6f066 2 API calls 13683->13687 13688 e6f066 2 API calls 13684->13688 13702 e7be5d 13684->13702 13685 e6f066 2 API calls 13689 e7be67 13685->13689 13691 e7be30 13686->13691 13692 e7beb5 13687->13692 13693 e7be52 13688->13693 13694 e6f066 2 API calls 13689->13694 13695 e6f066 2 API calls 13690->13695 13703 e7b237 13691->13703 13698 e6f066 2 API calls 13692->13698 13731 e7b696 13693->13731 13694->13677 13700 e7bf34 13695->13700 13697->13679 13698->13701 13700->13671 13743 e7bf63 13701->13743 13702->13685 13704 e7b331 13703->13704 13705 e7b248 13703->13705 13704->13684 13706 e7b259 13705->13706 13707 e6f066 2 API calls 13705->13707 13708 e7b26b 13706->13708 13709 e6f066 2 API calls 13706->13709 13707->13706 13710 e7b27d 13708->13710 13712 e6f066 2 API calls 13708->13712 13709->13708 13711 e7b28f 13710->13711 13713 e6f066 2 API calls 13710->13713 13714 e7b2a1 13711->13714 13715 e6f066 2 API calls 13711->13715 13712->13710 13713->13711 13716 e7b2b3 13714->13716 13717 e6f066 2 API calls 13714->13717 13715->13714 13718 e7b2c5 13716->13718 13720 e6f066 2 API calls 13716->13720 13717->13716 13719 e7b2d7 13718->13719 13721 e6f066 2 API calls 13718->13721 13722 e7b2e9 13719->13722 13723 e6f066 2 API calls 13719->13723 13720->13718 13721->13719 13724 e7b2fb 13722->13724 13725 e6f066 2 API calls 13722->13725 13723->13722 13726 e7b30d 13724->13726 13728 e6f066 2 API calls 13724->13728 13725->13724 13727 e7b31f 13726->13727 13729 e6f066 2 API calls 13726->13729 13727->13704 13730 e6f066 2 API calls 13727->13730 13728->13726 13729->13727 13730->13704 13732 e7b6a3 13731->13732 13742 e7b6fb 13731->13742 13733 e6f066 2 API calls 13732->13733 13735 e7b6b3 13732->13735 13733->13735 13734 e7b6c5 13737 e7b6d7 13734->13737 13739 e6f066 2 API calls 13734->13739 13735->13734 13736 e6f066 2 API calls 13735->13736 13736->13734 13738 e7b6e9 13737->13738 13740 e6f066 2 API calls 13737->13740 13741 e6f066 2 API calls 13738->13741 13738->13742 13739->13737 13740->13738 13741->13742 13742->13702 13744 e7bf8f 13743->13744 13745 e7bf70 13743->13745 13744->13679 13745->13744 13749 e7bbbd 13745->13749 13748 e6f066 2 API calls 13748->13744 13750 e7bc9b 13749->13750 13751 e7bbce 13749->13751 13750->13748 13785 e7b91c 13751->13785 13754 e7b91c 2 API calls 13755 e7bbe1 13754->13755 13756 e7b91c 2 API calls 13755->13756 13757 e7bbec 13756->13757 13758 e7b91c 2 API calls 13757->13758 13759 e7bbf7 13758->13759 13760 e7b91c 2 API calls 13759->13760 13761 e7bc05 13760->13761 13762 e6f066 2 API calls 13761->13762 13763 e7bc10 13762->13763 13764 e6f066 2 API calls 13763->13764 13765 e7bc1b 13764->13765 13766 e6f066 2 API calls 13765->13766 13767 e7bc26 13766->13767 13768 e7b91c 2 API calls 13767->13768 13769 e7bc34 13768->13769 13770 e7b91c 2 API calls 13769->13770 13771 e7bc42 13770->13771 13772 e7b91c 2 API calls 13771->13772 13773 e7bc53 13772->13773 13774 e7b91c 2 API calls 13773->13774 13775 e7bc61 13774->13775 13776 e7b91c 2 API calls 13775->13776 13777 e7bc6f 13776->13777 13778 e6f066 2 API calls 13777->13778 13779 e7bc7a 13778->13779 13780 e6f066 2 API calls 13779->13780 13781 e7bc85 13780->13781 13782 e6f066 2 API calls 13781->13782 13783 e7bc90 13782->13783 13784 e6f066 2 API calls 13783->13784 13784->13750 13786 e7b92e 13785->13786 13787 e7b93d 13786->13787 13788 e6f066 2 API calls 13786->13788 13787->13754 13788->13786 13789->13674 13790 1ee29e0 13792 1ee29f8 13790->13792 13791 1ee2b03 LoadLibraryA 13791->13792 13792->13791 13794 1ee2b2c GetProcAddress 13792->13794 13795 1ee2b48 VirtualProtect VirtualProtect 13792->13795 13794->13792 13797 1ee2b42 ExitProcess 13794->13797 13796 1ee2bc0 13795->13796

                            Executed Functions

                            Function 01EE29E0 Relevance: 7.7, APIs: 5, Instructions: 212librarymemoryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 1ee29e0-1ee29f0 1 1ee2a02-1ee2a07 0->1 2 1ee2a09 1->2 3 1ee2a0b 2->3 4 1ee29f8-1ee29fd 2->4 6 1ee2a10-1ee2a12 3->6 5 1ee29fe-1ee2a00 4->5 5->1 5->2 7 1ee2a1b-1ee2a1f 6->7 8 1ee2a14-1ee2a19 6->8 9 1ee2a2c-1ee2a2f 7->9 10 1ee2a21 7->10 8->7 13 1ee2a38-1ee2a3a 9->13 14 1ee2a31-1ee2a36 9->14 11 1ee2a4b-1ee2a50 10->11 12 1ee2a23-1ee2a2a 10->12 15 1ee2a52-1ee2a5b 11->15 16 1ee2a63-1ee2a65 11->16 12->9 12->11 13->6 14->13 17 1ee2a5d-1ee2a61 15->17 18 1ee2ad2-1ee2ad5 15->18 19 1ee2a6e 16->19 20 1ee2a67-1ee2a6c 16->20 17->19 21 1ee2ada 18->21 22 1ee2a3c-1ee2a3e 19->22 23 1ee2a70-1ee2a73 19->23 20->19 26 1ee2adc-1ee2ade 21->26 24 1ee2a47-1ee2a49 22->24 25 1ee2a40-1ee2a45 22->25 27 1ee2a7c 23->27 28 1ee2a75-1ee2a7a 23->28 30 1ee2a9d-1ee2aac 24->30 25->24 31 1ee2af7 26->31 32 1ee2ae0-1ee2ae3 26->32 27->22 29 1ee2a7e-1ee2a80 27->29 28->27 34 1ee2a89-1ee2a8d 29->34 35 1ee2a82-1ee2a87 29->35 37 1ee2aae-1ee2ab5 30->37 38 1ee2abc-1ee2ac9 30->38 36 1ee2afd-1ee2b01 31->36 32->26 33 1ee2ae5-1ee2af5 32->33 33->21 34->29 41 1ee2a8f 34->41 35->34 39 1ee2b48-1ee2b4b 36->39 40 1ee2b03-1ee2b19 LoadLibraryA 36->40 37->37 42 1ee2ab7 37->42 38->38 43 1ee2acb-1ee2acd 38->43 47 1ee2b4e-1ee2b55 39->47 44 1ee2b1a-1ee2b1f 40->44 45 1ee2a9a 41->45 46 1ee2a91-1ee2a98 41->46 42->5 43->5 44->36 48 1ee2b21-1ee2b23 44->48 45->30 46->29 46->45 49 1ee2b79-1ee2bbd VirtualProtect * 2 47->49 50 1ee2b57-1ee2b59 47->50 51 1ee2b2c-1ee2b39 GetProcAddress 48->51 52 1ee2b25-1ee2b2b 48->52 55 1ee2bc0-1ee2bc1 49->55 53 1ee2b6c-1ee2b77 50->53 54 1ee2b5b-1ee2b6a 50->54 56 1ee2b3b-1ee2b40 51->56 57 1ee2b42 ExitProcess 51->57 52->51 53->54 54->47 58 1ee2bc5-1ee2bc9 55->58 56->44 58->58 59 1ee2bcb 58->59
                            APIs
                            • LoadLibraryA.KERNELBASE(?), ref: 01EE2B13
                            • GetProcAddress.KERNELBASE(?,01EBCFF9), ref: 01EE2B31
                            • ExitProcess.KERNEL32(?,01EBCFF9), ref: 01EE2B42
                            • VirtualProtect.KERNELBASE(00790000,00001000,00000004,?,00000000), ref: 01EE2B90
                            • VirtualProtect.KERNELBASE(00790000,00001000), ref: 01EE2BA5
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                            • String ID:
                            • API String ID: 1996367037-0
                            • Opcode ID: a8c6dfa00922057e8da9ed8a420ec6d89a9345aa3fe10763739640caaa4d67f6
                            • Instruction ID: 6eaaf841d81c75a673464194d9a7066c7bc3ee7ff1da78a746860a7c17ac11d2
                            • Opcode Fuzzy Hash: a8c6dfa00922057e8da9ed8a420ec6d89a9345aa3fe10763739640caaa4d67f6
                            • Instruction Fuzzy Hash: E7511572A107134AD7318E7CDCC86ACB7D9EB452287581738DBEADB3C6E7A458068360
                            Function 00E5B6E0 Relevance: 6.1, APIs: 4, Instructions: 66threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00E6F42C: GetLastError.KERNEL32(00000000,?,00E55FDD,00E6F0E3,?,?,00DFF77A,0000000C,?,?,?,?,00D727D2,?,?,?), ref: 00E6F581
                              • Part of subcall function 00E6F42C: SetLastError.KERNEL32(00000000,00000006), ref: 00E6F623
                            • CloseHandle.KERNEL32(?,?,?,00E5B817,?,?,00E5B689,00000000), ref: 00E5B711
                            • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00E5B817,?,?,00E5B689,00000000), ref: 00E5B727
                            • RtlExitUserThread.NTDLL(?,?,?,00E5B817,?,?,00E5B689,00000000), ref: 00E5B730
                            • GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 00E5B76E
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ErrorExitHandleLastThread$CloseFreeLibraryModuleUser
                            • String ID:
                            • API String ID: 1062721995-0
                            • Opcode ID: 6b961a0a04234e62606bb513180cdbd8951994e6b0a9b41d3746a05451c05db9
                            • Instruction ID: 4a8cec16b1cec00662ace7dc6d5cb4f380aa8e0d46a4831c6e3fe88c04a6f0bf
                            • Opcode Fuzzy Hash: 6b961a0a04234e62606bb513180cdbd8951994e6b0a9b41d3746a05451c05db9
                            • Instruction Fuzzy Hash: 5411B9B1500204AFC7209B66DC09E5ABBE8DFC4765F149627FD15E7291DB70DE09C690
                            Function 00E5B62B Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetLastError.KERNEL32(00FB0388,0000000C), ref: 00E5B63E
                            • RtlExitUserThread.NTDLL(00000000), ref: 00E5B645
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ErrorExitLastThreadUser
                            • String ID:
                            • API String ID: 1750398979-0
                            • Opcode ID: 37a3371b6520640fb700f51bf19a8f7cf974577f05dc2604c382fd80b63349e3
                            • Instruction ID: 29f01400bd7d5036cb01e822a295a85ab287ed79c33c312cf3ab2f50fbbd5da7
                            • Opcode Fuzzy Hash: 37a3371b6520640fb700f51bf19a8f7cf974577f05dc2604c382fd80b63349e3
                            • Instruction Fuzzy Hash: 78F0C2B19402049FDB04AFB0D80AF6E7BB4EF40751F20558AF815B7292DB709945CBA1
                            Function 00E6F717 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 101 e6f717-e6f722 102 e6f724-e6f72e 101->102 103 e6f730-e6f736 101->103 102->103 104 e6f764-e6f76f call e55fd8 102->104 105 e6f74f-e6f760 RtlAllocateHeap 103->105 106 e6f738-e6f739 103->106 110 e6f771-e6f773 104->110 107 e6f762 105->107 108 e6f73b-e6f742 call e6e7a5 105->108 106->105 107->110 108->104 114 e6f744-e6f74d call e6bfcd 108->114 114->104 114->105
                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00E6F758
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 9f5e83febb37be9699332cd0572b8cd72e1b7a69a35b788b9ab22a52348a0594
                            • Instruction ID: 873ff62d07046abdc760998ddd613d168e41085a8212fd529f3ab32f52770586
                            • Opcode Fuzzy Hash: 9f5e83febb37be9699332cd0572b8cd72e1b7a69a35b788b9ab22a52348a0594
                            • Instruction Fuzzy Hash: 00F054326E5624669B216B66BD55B9A3788AF417E4B156033FC14F7194CB20F80196E0

                            Non-executed Functions

                            Function 00DFE437 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E043BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EncryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EncryptMessage
                            • API String ID: 689400697-3976766517
                            • Opcode ID: 1cd6aa342aea25cc7c0ca7c98b2a5c7675ec7a13016895e6972a8f9994730307
                            • Instruction ID: 00b4ffd8fd512c942273b36e07e3291d2cd1cc0adeef1574bb2f6789495de580
                            • Opcode Fuzzy Hash: 1cd6aa342aea25cc7c0ca7c98b2a5c7675ec7a13016895e6972a8f9994730307
                            • Instruction Fuzzy Hash: 7B1108B53803057BD7216E52ED43F673B6CDBC0B61F044065FB00B50D1E992CA509771
                            Function 00DFE42E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E042FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DecryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DecryptMessage
                            • API String ID: 689400697-3301108232
                            • Opcode ID: b908d76626096b599dc38ddb375d3b2a036dac50a3f7b3fb2332be06a3098f5d
                            • Instruction ID: 5230df0488656d3765efc82bf485cba28b17912f51a030ce9e62826735298f00
                            • Opcode Fuzzy Hash: b908d76626096b599dc38ddb375d3b2a036dac50a3f7b3fb2332be06a3098f5d
                            • Instruction Fuzzy Hash: 9011C8B53843057BD6212A66ED43F6B3B6CE7C1B61F045055FB00B50D1EA96CA50D771
                            Function 00DA5E14 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • crypto_cert_fingerprint.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DA5E1C
                              • Part of subcall function 00DA576E: crypto_cert_fingerprint_by_hash.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,sha256), ref: 00DA5779
                            • crypto_cert_issuer.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DA5E30
                            • crypto_cert_subject.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?), ref: 00DA5E3A
                            • certificate_data_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,00000000,00000000,00000000,?,?), ref: 00DA5E4A
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: certificate_data_newcrypto_cert_fingerprintcrypto_cert_fingerprint_by_hashcrypto_cert_issuercrypto_cert_subject
                            • String ID:
                            • API String ID: 1865246629-0
                            • Opcode ID: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
                            • Instruction ID: 29bb91e61ca1c72291083759c46094960b9afd61ce87268b4e0551546b249161
                            • Opcode Fuzzy Hash: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
                            • Instruction Fuzzy Hash: FEE04F75500608BF8F112F6AEC05CAF7EBDDF867E4B184124BC185612ADA71CE1096B0
                            Function 00E4FCA9 Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E4FDC9,00F7C654), ref: 00E4FCAE
                            • UnhandledExceptionFilter.KERNEL32(?,?,00E4FDC9,00F7C654), ref: 00E4FCB7
                            • GetCurrentProcess.KERNEL32(C0000409,?,00E4FDC9,00F7C654), ref: 00E4FCC2
                            • TerminateProcess.KERNEL32(00000000,?,00E4FDC9,00F7C654), ref: 00E4FCC9
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                            • String ID:
                            • API String ID: 3231755760-0
                            • Opcode ID: 194fc4a186346830e5a298f8d0d84510eb302ceab79f8eb9f863f64eeb253e8f
                            • Instruction ID: f5fc143b5afab96c864f2b289b51f813dc03defc9a3ffb0086d926086a1b90cf
                            • Opcode Fuzzy Hash: 194fc4a186346830e5a298f8d0d84510eb302ceab79f8eb9f863f64eeb253e8f
                            • Instruction Fuzzy Hash: 8FD0CAB2000208AFCB002BE2FE0CF893B28BB0860AF050043F71AA20A0CA31440A8B62
                            Function 00E07449 Relevance: 224.3, APIs: 64, Strings: 64, Instructions: 269libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 647 e07449-e0745b LoadLibraryA 648 e0745d 647->648 649 e0745e-e078e4 GetProcAddress * 63 call e1001b 647->649
                            APIs
                            • LoadLibraryA.KERNEL32(wtsapi32.dll,00E07168), ref: 00E0744E
                            • GetProcAddress.KERNEL32(00000000,WTSStopRemoteControlSession), ref: 00E0746B
                            • GetProcAddress.KERNEL32(WTSStartRemoteControlSessionW), ref: 00E0747D
                            • GetProcAddress.KERNEL32(WTSStartRemoteControlSessionA), ref: 00E0748F
                            • GetProcAddress.KERNEL32(WTSConnectSessionW), ref: 00E074A1
                            • GetProcAddress.KERNEL32(WTSConnectSessionA), ref: 00E074B3
                            • GetProcAddress.KERNEL32(WTSEnumerateServersW), ref: 00E074C5
                            • GetProcAddress.KERNEL32(WTSEnumerateServersA), ref: 00E074D7
                            • GetProcAddress.KERNEL32(WTSOpenServerW), ref: 00E074E9
                            • GetProcAddress.KERNEL32(WTSOpenServerA), ref: 00E074FB
                            • GetProcAddress.KERNEL32(WTSOpenServerExW), ref: 00E0750D
                            • GetProcAddress.KERNEL32(WTSOpenServerExA), ref: 00E0751F
                            • GetProcAddress.KERNEL32(WTSCloseServer), ref: 00E07531
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsW), ref: 00E07543
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsA), ref: 00E07555
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsExW), ref: 00E07567
                            • GetProcAddress.KERNEL32(WTSEnumerateSessionsExA), ref: 00E07579
                            • GetProcAddress.KERNEL32(WTSEnumerateProcessesW), ref: 00E0758B
                            • GetProcAddress.KERNEL32(WTSEnumerateProcessesA), ref: 00E0759D
                            • GetProcAddress.KERNEL32(WTSTerminateProcess), ref: 00E075AF
                            • GetProcAddress.KERNEL32(WTSQuerySessionInformationW), ref: 00E075C1
                            • GetProcAddress.KERNEL32(WTSQuerySessionInformationA), ref: 00E075D3
                            • GetProcAddress.KERNEL32(WTSQueryUserConfigW), ref: 00E075E5
                            • GetProcAddress.KERNEL32(WTSQueryUserConfigA), ref: 00E075F7
                            • GetProcAddress.KERNEL32(WTSSetUserConfigW), ref: 00E07609
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WTSCloseServer$WTSConnectSessionA$WTSConnectSessionW$WTSCreateListenerA$WTSCreateListenerW$WTSDisconnectSession$WTSEnableChildSessions$WTSEnumerateListenersA$WTSEnumerateListenersW$WTSEnumerateProcessesA$WTSEnumerateProcessesExA$WTSEnumerateProcessesExW$WTSEnumerateProcessesW$WTSEnumerateServersA$WTSEnumerateServersW$WTSEnumerateSessionsA$WTSEnumerateSessionsExA$WTSEnumerateSessionsExW$WTSEnumerateSessionsW$WTSFreeMemory$WTSFreeMemoryExA$WTSFreeMemoryExW$WTSGetActiveConsoleSessionId$WTSGetChildSessionId$WTSGetListenerSecurityA$WTSGetListenerSecurityW$WTSIsChildSessionsEnabled$WTSLogoffSession$WTSOpenServerA$WTSOpenServerExA$WTSOpenServerExW$WTSOpenServerW$WTSQueryListenerConfigA$WTSQueryListenerConfigW$WTSQuerySessionInformationA$WTSQuerySessionInformationW$WTSQueryUserConfigA$WTSQueryUserConfigW$WTSQueryUserToken$WTSRegisterSessionNotification$WTSRegisterSessionNotificationEx$WTSSendMessageA$WTSSendMessageW$WTSSetListenerSecurityA$WTSSetListenerSecurityW$WTSSetUserConfigA$WTSSetUserConfigW$WTSShutdownSystem$WTSStartRemoteControlSessionA$WTSStartRemoteControlSessionW$WTSStopRemoteControlSession$WTSTerminateProcess$WTSUnRegisterSessionNotification$WTSUnRegisterSessionNotificationEx$WTSVirtualChannelClose$WTSVirtualChannelOpen$WTSVirtualChannelOpenEx$WTSVirtualChannelPurgeInput$WTSVirtualChannelPurgeOutput$WTSVirtualChannelQuery$WTSVirtualChannelRead$WTSVirtualChannelWrite$WTSWaitSystemEvent$wtsapi32.dll
                            • API String ID: 2238633743-2998606599
                            • Opcode ID: ceab1d860b50672c3d1b0cf81eef32efba1ffe9dab26bc5655570433f48d81d5
                            • Instruction ID: e8802ce76b32d3e14707b00436f41282ad51391084449db4330f6ba418dbb76d
                            • Opcode Fuzzy Hash: ceab1d860b50672c3d1b0cf81eef32efba1ffe9dab26bc5655570433f48d81d5
                            • Instruction Fuzzy Hash: A8B167B4D44314EACB359F79AC8A8863E63E7847723404C16EA84766D8D7BF8054EFB1
                            Function 00DF14E3 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 194sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 754 df14e3-df14fb 755 df16dd 754->755 756 df1501-df1509 754->756 757 df16df-df16e3 755->757 756->755 758 df150f-df1523 freerdp_error_info 756->758 759 df1529-df152f 758->759 760 df16e4-df16f0 758->760 759->755 761 df1535-df153c 759->761 762 df16fe-df170a call dfe9a3 760->762 763 df16f2-df16f9 call dfe717 760->763 764 df154e-df155a call dfe9a3 761->764 765 df153e-df1549 call dfe717 761->765 772 df158e-df1595 762->772 773 df1710-df1736 call dfed82 762->773 763->762 777 df155c-df1586 freerdp_get_error_info_string call dfed82 764->777 778 df1589 764->778 765->764 772->755 779 df159b-df15a3 772->779 773->772 777->778 778->772 782 df15a5-df15ad 779->782 783 df15b3-df15ba 779->783 782->755 782->783 784 df15bc-df15c3 call dfe717 783->784 785 df15c8-df15d4 call dfe9a3 783->785 784->785 791 df15d6-df15fd call dfed82 785->791 792 df1600-df1609 freerdp_reconnect 785->792 791->792 794 df160f-df161c freerdp_get_last_error 792->794 795 df173b-df173e 792->795 797 df161e-df1625 794->797 798 df166b 794->798 795->757 800 df1627-df162e call dfe717 797->800 801 df1633-df163f call dfe9a3 797->801 799 df166d-df1671 798->799 803 df167c-df1688 Sleep 799->803 804 df1673-df167a 799->804 800->801 809 df1667 801->809 810 df1641-df1664 call dfed82 801->810 803->799 807 df168a-df168e 803->807 804->755 804->803 807->779 812 df1694-df169b 807->812 809->798 810->809 814 df169d-df16a4 call dfe717 812->814 815 df16a9-df16b5 call dfe9a3 812->815 814->815 815->755 821 df16b7-df16da call dfed82 815->821 821->755
                            APIs
                            • freerdp_error_info.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,00DF14DF,?,00000000), ref: 00DF1519
                            • freerdp_get_error_info_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,?,?,?,?,?,?,00DF14DF,?,00000000), ref: 00DF155D
                            • freerdp_reconnect.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,00DF14DF,?,00000000), ref: 00DF1601
                            • freerdp_get_last_error.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,00DF14DF,?,00000000), ref: 00DF1611
                            • Sleep.KERNEL32(0000000A,?,?,?,?,?,?,00DF14DF,?,00000000), ref: 00DF167E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Sleepfreerdp_error_infofreerdp_get_error_info_stringfreerdp_get_last_errorfreerdp_reconnect
                            • String ID: Attempting reconnect (%u of %u)$Autoreconnect aborted by user$C:\Project\agent-windows\freerdp\FreeRDP\client\common\client.c$Disconnected by server hitting a bug or resource limit [%s]$Maximum reconnect retries exceeded$Network disconnect!$client_auto_reconnect_ex$com.freerdp.client.common
                            • API String ID: 968149013-2963753137
                            • Opcode ID: c42da8ca239ce898b107c1912638a48498f090637d0499f67a28c69027066bc4
                            • Instruction ID: 6ec93ff038fbce96fc288b696b88259a304ca6fbe61c6adb3257042018ba9001
                            • Opcode Fuzzy Hash: c42da8ca239ce898b107c1912638a48498f090637d0499f67a28c69027066bc4
                            • Instruction Fuzzy Hash: 0E51DB75B40309B7E7217B25EC87FBA3BA4DB50B10F19C029FB04EA1D1EA75CA809635
                            Function 00DBA89E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 127COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • gdi_get_pixel_format.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,00DBA899,?,?,00000000,00000000,Function_006DAA7A), ref: 00DBA8B3
                            • gdi_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,00DBA899,?,?,00000000,00000000,Function_006DAA7A), ref: 00DBAA40
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: gdi_freegdi_get_pixel_format
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\gdi\gdi.c$com.freerdp.gdi$failed to initialize gdi$gdi_init_ex
                            • API String ID: 1251975138-534786182
                            • Opcode ID: f1b02cd628de1cac183c2eccbedcee1fb773f98a9125d2f9114977f95833268f
                            • Instruction ID: 616c62aae98e2d79bb1ee78e974633deab4f5364bac7dd4f1d1b619f272b53e2
                            • Opcode Fuzzy Hash: f1b02cd628de1cac183c2eccbedcee1fb773f98a9125d2f9114977f95833268f
                            • Instruction Fuzzy Hash: F8418171200702AFDB14AF38DC42BA977E5FF04310F148429FA599A292EF72E851DB71
                            Function 00D80E1F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 141COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 880 d80e1f-d80e32 881 d80e82-d80e8f call d81585 880->881 882 d80e34-d80e3b 880->882 891 d80e91-d80e98 881->891 892 d80ee4-d80f8c call e529c0 RtlEnterCriticalSection RtlLeaveCriticalSection 881->892 883 d80e4d-d80e59 call dfe9a3 882->883 884 d80e3d-d80e48 call dfe717 882->884 893 d80fdf-d80fe2 883->893 894 d80e5f-d80e7d 883->894 884->883 896 d80eaa-d80eb6 call dfe9a3 891->896 897 d80e9a-d80ea5 call dfe717 891->897 907 d80ede 892->907 911 d80f92-d80f99 892->911 898 d80ee0-d80ee3 893->898 899 d80fd7-d80fdc call dfed82 894->899 906 d80eb8-d80edb call dfed82 896->906 896->907 897->896 899->893 906->907 907->898 913 d80fab-d80fb7 call dfe9a3 911->913 914 d80f9b-d80fa6 call dfe717 911->914 913->893 919 d80fb9-d80fd1 913->919 914->913 919->899
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00D80F64
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00D80F79
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID: ,$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load_ex
                            • API String ID: 3168844106-1571615648
                            • Opcode ID: 619683cd3f89b537ea8e780acc0e8946f87be9cfaf9fd741d3cb30b70b504b9e
                            • Instruction ID: ea41f45de7f7f5e92d8fab339ad28d69cbebc4ec4431fca66bf33007cf516394
                            • Opcode Fuzzy Hash: 619683cd3f89b537ea8e780acc0e8946f87be9cfaf9fd741d3cb30b70b504b9e
                            • Instruction Fuzzy Hash: 8B41F471A4430AABDB60EF68DC42F9A7BE4EF08724F144429F644FB291D774E9049BB4
                            Function 00D86AF2 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 449COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 963 d86af2-d86b18 call e55feb 966 d86b1e-d86cdf call e55feb 963->966 967 d8732f-d8733c call e4fc8d 963->967 972 d87325-d8732e freerdp_settings_free 966->972 973 d86ce5-d86d0e call e55feb 966->973 972->967 973->972 976 d86d14-d86d37 call e55feb 973->976 976->972 979 d86d3d-d86d46 call d87f9b 976->979 979->972 982 d86d4c-d86d60 call e55feb 979->982 982->972 985 d86d66-d86d7a call e55feb 982->985 985->972 988 d86d80-d86d96 freerdp_settings_set_string 985->988 988->972 989 d86d9c-d86e06 call e55feb 988->989 989->972 992 d86e0c-d86e9a call e55feb 989->992 992->972 995 d86ea0-d86eb2 call e55feb 992->995 995->972 998 d86eb8-d86fea call e55ff6 995->998 998->972 1001 d86ff0-d870ce call e55feb 998->1001 1001->972 1004 d870d4-d870e6 call e55feb 1001->1004 1004->972 1007 d870ec-d87101 call e55feb 1004->1007 1007->972 1010 d87107-d87124 call e55feb 1007->1010 1010->972 1013 d8712a-d87147 call e55feb 1010->1013 1013->972 1016 d8714d-d8716a call e55feb 1013->1016 1016->972 1019 d87170-d87181 freerdp_settings_set_bool 1016->1019 1019->972 1020 d87187-d87199 freerdp_settings_set_uint32 1019->1020 1020->972 1021 d8719f-d871b1 freerdp_settings_set_uint32 1020->1021 1021->972 1022 d871b7-d871c9 freerdp_settings_set_uint32 1021->1022 1022->972 1023 d871cf-d871e4 freerdp_settings_set_uint32 1022->1023 1023->972 1024 d871ea-d871ff freerdp_settings_set_uint32 1023->1024 1024->972 1025 d87205-d872b6 call d88011 1024->1025 1025->972
                            APIs
                            • freerdp_settings_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000), ref: 00D87326
                              • Part of subcall function 00D87F9B: GetComputerNameExA.KERNEL32(00000000,?,?,00000000), ref: 00D87FCC
                              • Part of subcall function 00D87F9B: freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000680,?), ref: 00D87FFC
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00000086,?), ref: 00D86D8C
                            • freerdp_settings_set_bool.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00001446,00000001), ref: 00D87177
                            • freerdp_settings_set_uint32.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00001447,00000003), ref: 00D8718F
                            • freerdp_settings_set_uint32.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00001448,00000005), ref: 00D871A7
                            • freerdp_settings_set_uint32.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00001449,00000002), ref: 00D871BF
                            • freerdp_settings_set_uint32.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,0000144A,00002328), ref: 00D871DA
                            • freerdp_settings_set_uint32.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,0000144D,00003A98), ref: 00D871F5
                            Strings
                            • C:\Windows\System32\mstscax.dll, xrefs: 00D86F3F
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_uint32$freerdp_settings_set_string$ComputerNamefreerdp_settings_freefreerdp_settings_set_bool
                            • String ID: C:\Windows\System32\mstscax.dll
                            • API String ID: 2536960967-183970058
                            • Opcode ID: 82bdff7d3608d2737708f287db7337eb1d03ec5bf27c3f60c916d941e1c921a0
                            • Instruction ID: 7bf49d9aafe527f349d0d8bc83618f3f7e8bf0a72b3b72751e3a456fd108fd8e
                            • Opcode Fuzzy Hash: 82bdff7d3608d2737708f287db7337eb1d03ec5bf27c3f60c916d941e1c921a0
                            • Instruction Fuzzy Hash: 1312F8B1A04F009EE324DF39D885B93B7E4FF08311F64492EE5AE87291DBB1A544CB59
                            Function 00DF6C86 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 337COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1028 df6c86-df6ca5 call e635f0 1031 df6cdf-df6cef call e635f0 1028->1031 1032 df6ca7-df6caa 1028->1032 1040 df6cf5-df6cfa 1031->1040 1041 df6da3-df6db3 call e635f0 1031->1041 1033 df6d43 1032->1033 1034 df6cb0-df6cc5 1032->1034 1038 df6d45-df6d49 1033->1038 1036 df6cca-df6cdd call df706d 1034->1036 1037 df6cc7 1034->1037 1036->1038 1037->1036 1040->1033 1043 df6cfc-df6d0b 1040->1043 1050 df6e3d-df6e4d call e635f0 1041->1050 1051 df6db9-df6dbe 1041->1051 1046 df7066-df7068 1043->1046 1047 df6d11-df6d20 call e55feb 1043->1047 1046->1038 1047->1033 1055 df6d22-df6d3a call e55ff6 1047->1055 1060 df6faf-df6fbf call e635f0 1050->1060 1061 df6e53-df6e58 1050->1061 1051->1033 1053 df6dc0-df6de0 call e55feb 1051->1053 1053->1033 1063 df6de6-df6def 1053->1063 1066 df6d3c-df6d3d call e55f15 1055->1066 1067 df6d4a-df6d4d 1055->1067 1060->1033 1076 df6fc5-df6fca 1060->1076 1061->1033 1064 df6e5e-df6e7e call e55feb 1061->1064 1068 df6e19-df6e26 freerdp_device_collection_add 1063->1068 1069 df6df1-df6dfc call e63680 1063->1069 1064->1033 1083 df6e84-df6e89 1064->1083 1081 df6d42 1066->1081 1077 df6d4f-df6d60 call e55ff6 1067->1077 1078 df6d73 1067->1078 1068->1046 1072 df6e2c-df6e32 call e55f15 1068->1072 1089 df6dfe-df6e0f call e55ff6 1069->1089 1090 df6e16 1069->1090 1087 df6e37-df6e38 1072->1087 1076->1033 1084 df6fd0-df6ff0 call e55feb 1076->1084 1080 df6d75-df6d82 freerdp_device_collection_add 1077->1080 1095 df6d62-df6d6a call e55f15 1077->1095 1078->1080 1080->1046 1088 df6d88-df6da1 call e55f15 * 3 1080->1088 1081->1033 1091 df6f5f-df6f62 1083->1091 1092 df6e8f-df6ea5 call e55ff6 1083->1092 1084->1033 1101 df6ff6-df6fff 1084->1101 1096 df6d6b-df6d71 call e55f15 1087->1096 1088->1033 1089->1068 1114 df6e11 1089->1114 1090->1068 1100 df6f65-df6f78 freerdp_device_collection_add 1091->1100 1092->1066 1115 df6eab-df6eae 1092->1115 1095->1096 1096->1081 1100->1046 1107 df6f7e-df6faa call e55f15 * 5 1100->1107 1109 df703d-df704d freerdp_device_collection_add 1101->1109 1110 df7001-df7017 call e55ff6 1101->1110 1107->1033 1109->1046 1119 df704f-df7061 call e55f15 * 2 1109->1119 1110->1066 1128 df701d-df7020 1110->1128 1114->1066 1115->1091 1116 df6eb4-df6eca call e55ff6 1115->1116 1131 df6ede-df6ee1 1116->1131 1132 df6ecc-df6ed9 call e55f15 1116->1132 1119->1046 1128->1109 1134 df7022-df7033 call e55ff6 1128->1134 1131->1091 1139 df6ee3-df6ef9 call e55ff6 1131->1139 1132->1087 1134->1109 1147 df7035 1134->1147 1149 df6efb-df6f12 call e55f15 * 2 1139->1149 1150 df6f18-df6f1b 1139->1150 1147->1109 1149->1150 1150->1100 1151 df6f1d-df6f2e call e55ff6 1150->1151 1151->1100 1158 df6f30-df6f5a call e55f15 * 4 1151->1158 1158->1033
                            APIs
                            • freerdp_device_collection_add.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?), ref: 00DF6D79
                            • freerdp_device_collection_add.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000), ref: 00DF6E1D
                            • freerdp_device_collection_add.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000), ref: 00DF6F6F
                            • freerdp_device_collection_add.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000), ref: 00DF7044
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_device_collection_add
                            • String ID: drive$parallel$printer$serial$smartcard
                            • API String ID: 2538329621-807955808
                            • Opcode ID: 60d5153692331460be96c749f716fcadbf8152338409b10500d5e20831fc47d5
                            • Instruction ID: 995fd6f359ec9e5e2ee7dc54bc1cb1bb892e6b6c424b1348aed3785ce1f85fc2
                            • Opcode Fuzzy Hash: 60d5153692331460be96c749f716fcadbf8152338409b10500d5e20831fc47d5
                            • Instruction Fuzzy Hash: ABB1B03660460AABCF15AF18DC529AD7BE1FF04310B1AC469F904AF652EF32DD558BB0
                            Function 00D80C4D Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 145COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00D80D92
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00D80DB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load
                            • API String ID: 3168844106-4217659166
                            • Opcode ID: fe8f614941f32d389c5750b2fd4a398d2b867524d9dacaf7cafe7feb5c4e0b8a
                            • Instruction ID: f88f921f52070553799b9bcd070177e3f031b5008f69fd00b28e4de10b132999
                            • Opcode Fuzzy Hash: fe8f614941f32d389c5750b2fd4a398d2b867524d9dacaf7cafe7feb5c4e0b8a
                            • Instruction Fuzzy Hash: B451D671A44305AFEB60EF65DC82F9E7BA4EB04724F144029FA44EB291E7B4E904CB74
                            Function 00E858B8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_get_tag_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,?,?,00E85425,?,?,?,?,00000000,?), ref: 00E858FA
                            • audio_format_get_tag_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000001,00000000,?,?,00E85425,?,?,?,?,00000000,?), ref: 00E85902
                            • audio_format_compatible.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(%T,?,?,?,?,00E85425,?,?,?,?,00000000,?), ref: 00E8594D
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: audio_format_get_tag_string$audio_format_compatible
                            • String ID: %T$%s requires %s for sample input, got %s$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\dsp.c$Missing resample support, recompile -DWITH_SOXR=ON or -DWITH_DSP_FFMPEG=ON$com.freerdp.dsp$freerdp_dsp_resample
                            • API String ID: 204136587-1473788660
                            • Opcode ID: 902375e055f29cf71d20c38f1f0a124997741c0a947a1247e5b17cf75dfe31f5
                            • Instruction ID: e633f4ba85abd92e7f272144f4fa666f3062753ea98c28059586aa03374bc90f
                            • Opcode Fuzzy Hash: 902375e055f29cf71d20c38f1f0a124997741c0a947a1247e5b17cf75dfe31f5
                            • Instruction Fuzzy Hash: 692183B26843056AFB247BA4AC43F7A339CDB40B68F11501AF65CFA1C1EDA5D840977A
                            Function 00E83B76 Relevance: 15.1, APIs: 10, Instructions: 134COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_set_bool.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000400,00000001), ref: 00E83B87
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000401,00000000), ref: 00E83BB7
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000404,?), ref: 00E83BDB
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000402,00000000), ref: 00E83BFA
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000014,?), ref: 00E83C12
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,000006C1,?), ref: 00E83C2B
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000403,?), ref: 00E83C44
                            • freerdp_settings_set_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000015,00000000), ref: 00E83C60
                            • freerdp_settings_set_uint32.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000013,?), ref: 00E83C82
                            • freerdp_target_net_addresses_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00E83C93
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_string$freerdp_settings_set_boolfreerdp_settings_set_uint32freerdp_target_net_addresses_free
                            • String ID:
                            • API String ID: 949014189-0
                            • Opcode ID: 6cef6dd10707ff90aaa457e2c58685527288738f0f1d639d76a365eb69d9ad72
                            • Instruction ID: b86fb5ac551fb952c3d39a6107dd5435d2f88993dc7608296e6d8f977c0771a0
                            • Opcode Fuzzy Hash: 6cef6dd10707ff90aaa457e2c58685527288738f0f1d639d76a365eb69d9ad72
                            • Instruction Fuzzy Hash: E441B371600A06BFEB216E34CC45F9AB395FF05708F041024FA0DA66D1E772FA60C7A4
                            Function 00E31612 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 220COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E05CD5: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,?,00E31701,00000001), ref: 00E05CF9
                            • zgfx_context_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000), ref: 00E31874
                              • Part of subcall function 00E8693A: zgfx_context_reset.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00000000,00000000,?,00E31879,00000000), ref: 00E86964
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpinzgfx_context_newzgfx_context_reset
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\channels\rdpgfx\client\rdpgfx_main.c$Failed to acquire reference to WLog %s$HashTable_New failed!$calloc failed!$com.freerdp.channels.rdpgfx.client$rdpgfx_client_context_new$zgfx_context_new failed!
                            • API String ID: 3732774510-3243565116
                            • Opcode ID: c8027c93abac8d1911740ff55ffcaba150e0bcc2bfdd262e00365a836e814375
                            • Instruction ID: 0adf2f1cdf4b897dd36acc03c5f7cadfba1471e366bd4462a06d94c6eeb34ac9
                            • Opcode Fuzzy Hash: c8027c93abac8d1911740ff55ffcaba150e0bcc2bfdd262e00365a836e814375
                            • Instruction Fuzzy Hash: E37125B1680B026EE3249B259C86B567BE4FF14B24F10546EF644FB6D1DBB4E400CFA9
                            Function 00DBE4DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 138registrythreadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E06B05: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,00000000,00000000,00000000,?,00DBE59B,00000001,00006060,00000010), ref: 00E06B3E
                            • GetVersionExA.KERNEL32(?), ref: 00DBE5CD
                            • GetNativeSystemInfo.KERNEL32(?), ref: 00DBE5E7
                            • RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00DBE612
                            • primitives_get.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE ref: 00DBE6DC
                            • CreateThreadpool.KERNEL32(00000000), ref: 00DBE6E2
                            Strings
                            • com.freerdp.codec.rfx, xrefs: 00DBE530
                            • Software\FreeRDP\FreeRDP\RemoteFX, xrefs: 00DBE605
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: CountCreateCriticalInfoInitializeNativeOpenSectionSpinSystemThreadpoolVersionprimitives_get
                            • String ID: Software\FreeRDP\FreeRDP\RemoteFX$com.freerdp.codec.rfx
                            • API String ID: 3882483829-2530424157
                            • Opcode ID: e94d9f05e4692cc4ae63af79d610a1952f77b9c0d49b428c51dd84272e0953e4
                            • Instruction ID: d96e799d85250d79e989228b51b33ec0f9368ed40a9bebcdf9cf47bcb671d146
                            • Opcode Fuzzy Hash: e94d9f05e4692cc4ae63af79d610a1952f77b9c0d49b428c51dd84272e0953e4
                            • Instruction Fuzzy Hash: C841A0B1A00705AFE720AF75DC86B96B7F8FF44704F10446EE50AA7242DB70D9598BA0
                            Function 00DFE889 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00DFE8B2
                            • GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00DFE8D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: %s environment variable modified in my back$BINARY$CONSOLE$FILE$UDP$WLOG_APPENDER
                            • API String ID: 1431749950-225596728
                            • Opcode ID: 7b209d3faeb35880f49f28e3e4cd870ebb977d1789e4f8827a1ed6613a682ccd
                            • Instruction ID: bb9b67ba09068053311dfc438a620d5628d385eda827760ad2bad87bc8804c09
                            • Opcode Fuzzy Hash: 7b209d3faeb35880f49f28e3e4cd870ebb977d1789e4f8827a1ed6613a682ccd
                            • Instruction Fuzzy Hash: 97214B3224431A28B6A43335AC4BE3B1798CF41736766442FFB15F60D2EED1C84559B2
                            Function 00D73971 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_set_last_error_ex.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000015B), ref: 00D848D9
                            • freerdp_set_last_error_ex.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000016A), ref: 00D8498F
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_set_last_error_ex
                            • String ID: %s missing context=%p$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c$ErrorInfo$com.freerdp.core.rdp$freerdp$rdp_set_error_info
                            • API String ID: 270715978-29603548
                            • Opcode ID: ad13b5d4b05f3ae3b1d3e295541be05fba896a0d79f16fda00548cbf18024f23
                            • Instruction ID: 46898f6e7285ec71178fa19afbe43465394229eed600a38ca599dc4277d6cb32
                            • Opcode Fuzzy Hash: ad13b5d4b05f3ae3b1d3e295541be05fba896a0d79f16fda00548cbf18024f23
                            • Instruction Fuzzy Hash: 8F21F972A44315B6D7207B54DC43FEB7B689F41B20F188069FA086A1C2E7B0D6409FB2
                            Function 00E04B0C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(secur32.dll,?,00E04AEC), ref: 00E04B18
                            • LoadLibraryA.KERNEL32(security.dll,?,00E04AEC), ref: 00E04B28
                            • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceW), ref: 00E04B42
                            • GetProcAddress.KERNEL32(InitSecurityInterfaceA), ref: 00E04B51
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: InitSecurityInterfaceA$InitSecurityInterfaceW$secur32.dll$security.dll
                            • API String ID: 2574300362-4081094439
                            • Opcode ID: 44c26a0b8454c3c7a025a0483302da6d7d792f836b8911591e5af82659464158
                            • Instruction ID: 6bd92f814d477de568f9a8b6f88b7f477cc184f4b468bb5253a60010225640c6
                            • Opcode Fuzzy Hash: 44c26a0b8454c3c7a025a0483302da6d7d792f836b8911591e5af82659464158
                            • Instruction Fuzzy Hash: 56F089F6D6472796C732BBBABC00D567AE8ABC47553060163ED40E31C4FA75C8414F91
                            Function 00DB42E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 181fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00DB4320
                            • GetFileSize.KERNEL32(00000000,?), ref: 00DB433A
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: File$CreateSize
                            • String ID: %s %hu %s %s %s
                            • API String ID: 2791376181-2916857029
                            • Opcode ID: 249e4c0256f07ce6d3b79974e627c19ddb03b72030835720a2b2d51165147c52
                            • Instruction ID: 826fce232b08b04573e43e64876e306f3bc06a869360831164a6d2b2a1e4dc50
                            • Opcode Fuzzy Hash: 249e4c0256f07ce6d3b79974e627c19ddb03b72030835720a2b2d51165147c52
                            • Instruction Fuzzy Hash: AD513EB1900615AFEB21DBA5EC55AFF77ECEF09720F14452AF912E6291EB7099008A70
                            Function 00D9501B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                            • ber_read_universal_tag.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000002,00000000), ref: 00D9502A
                            • ber_read_length.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?), ref: 00D9503F
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ber_read_lengthber_read_universal_tag
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\crypto\ber.c$ber_read_integer$com.freerdp.crypto$should implement reading an 8 bytes integer$should implement reading an integer with length=%d
                            • API String ID: 3186670568-2454464461
                            • Opcode ID: 2850dc09beca94aa4ccbe778c8a29d30f7d644dcfebc43f3e66442c4f4e91e89
                            • Instruction ID: 4436d8c0da9a2ec1a6e694bb0bb60515438e7b85cbdbce8461aae9aadd9fbda3
                            • Opcode Fuzzy Hash: 2850dc09beca94aa4ccbe778c8a29d30f7d644dcfebc43f3e66442c4f4e91e89
                            • Instruction Fuzzy Hash: B3417AB1704B016BDF228F24EC92B3937E5EB52720F188179F5989B28DE639D901CB71
                            Function 00DD9C5D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109COMMON
                            Download Yara Rule
                            APIs
                            • region16_rects.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?), ref: 00DD9C6E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: region16_rects
                            • String ID: (%hu,%hu-%hu,%hu)$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\region.c$band %d: $com.freerdp.codec$nrects=%u$region16_print
                            • API String ID: 844131241-2640574824
                            • Opcode ID: 16a4f5c82a80f8d039b999ba1026581fefa725d520f072c686992a20dc927ac3
                            • Instruction ID: 4d452d87bfa556f62731092c67ea56ecce3a8df158675344271739697d742501
                            • Opcode Fuzzy Hash: 16a4f5c82a80f8d039b999ba1026581fefa725d520f072c686992a20dc927ac3
                            • Instruction Fuzzy Hash: 9631D47279030179E730AB69AC93FB67BE9EB15B11F140016FA44F61C0FAA7D9809371
                            Function 00D72BCF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_set_last_error_ex.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D72C14
                            • clearChannelError.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D72C1B
                              • Part of subcall function 00D726E1: ResetEvent.KERNEL32(?), ref: 00D7270A
                              • Part of subcall function 00D88142: ResetEvent.KERNEL32(?,?,00D72C27,?,?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00D8814E
                            Strings
                            • freerdp_connect, xrefs: 00D72C01
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00D72BFC
                            • ConnectionResult, xrefs: 00D73077
                            • freerdp, xrefs: 00D73062
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: EventReset$ChannelErrorclearfreerdp_set_last_error_ex
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$ConnectionResult$freerdp$freerdp_connect
                            • API String ID: 3632380314-3564821047
                            • Opcode ID: 5083121d53691873a848acf7f63ee88ab4d89f43cd4c23839862495ec46aee11
                            • Instruction ID: 6c9a3f0ab8c5ba2f10ce93fcb55e8a5e506bf58a8a341a4480c331b54ee94138
                            • Opcode Fuzzy Hash: 5083121d53691873a848acf7f63ee88ab4d89f43cd4c23839862495ec46aee11
                            • Instruction Fuzzy Hash: 5C319EB0A00205AFE710DF79D885BAAB7E8FF08700F184079F908E7291EB71D9449B60
                            Function 00D953FD Relevance: 12.1, APIs: 8, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • ber_write_universal_tag.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000002,00000000), ref: 00D95415
                            • ber_write_length.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000001,?,00000002,00000000), ref: 00D9541D
                            • ber_write_universal_tag.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000002,00000000), ref: 00D95440
                            • ber_write_length.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000002,?,00000002,00000000), ref: 00D95448
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ber_write_lengthber_write_universal_tag
                            • String ID:
                            • API String ID: 1889070510-0
                            • Opcode ID: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
                            • Instruction ID: 13587c9050c0f3715181da9cb44b1e90f095ab4e912c6b82ba3a34b16332433c
                            • Opcode Fuzzy Hash: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
                            • Instruction Fuzzy Hash: A021F530101F40AFDF536B04ED42BAA77A5EF11B01F018479FA8A1FA97C221BA41CBB1
                            Function 00D9CB5F Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • glyph_cache_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CB79
                            • brush_cache_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CB86
                            • pointer_cache_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CB94
                            • bitmap_cache_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CBA2
                            • offscreen_cache_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CBB0
                            • palette_cache_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CBBE
                            • nine_grid_cache_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CBCC
                            • cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000), ref: 00D9CBDE
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: bitmap_cache_newbrush_cache_newcache_freeglyph_cache_newnine_grid_cache_newoffscreen_cache_newpalette_cache_newpointer_cache_new
                            • String ID:
                            • API String ID: 2332728789-0
                            • Opcode ID: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
                            • Instruction ID: 9dc246277ca6ac153fa420f850770bde7ca6b90e63686fdb2eb299e1319dcef7
                            • Opcode Fuzzy Hash: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
                            • Instruction Fuzzy Hash: D301C476158B075AFB20AE75A852E3B77E8CF42B74718153EE480D6981FF20D40186B1
                            Function 00DBEFD0 Relevance: 10.7, APIs: 7, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            • region16_init.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DBF58A
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: region16_init
                            • String ID:
                            • API String ID: 4140821900-0
                            • Opcode ID: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
                            • Instruction ID: 90a7bb4e77a66ab81e78b301876794af59ec3d03129c99faa40ad1df45be780c
                            • Opcode Fuzzy Hash: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
                            • Instruction Fuzzy Hash: 4B514BB2D00219DBCB18DFA9CC819EEBBF9EF48304F14452AF55AE7240E7359945CB60
                            Function 00DBAA9A Relevance: 10.6, APIs: 7, Instructions: 147windowCOMMON
                            Download Yara Rule
                            APIs
                            • gdi_CreateCompatibleDC.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000,?,?,?,00DBA9C7,00000000,?,?,?,?,?,?,?,?,00DBA899), ref: 00DBAAE7
                            • gdi_CreateCompatibleBitmap.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,00000000,?,?,?,00DBA9C7,00000000,?,?,?,?), ref: 00DBAB0E
                            • gdi_CreateBitmapEx.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,00000000,?,?,?,00DBA9C7,00000000,?,?,?,?), ref: 00DBAB2A
                            • gdi_SelectObject.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?), ref: 00DBAB60
                            • gdi_CreateRectRgn.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00000000,00000000,00000000), ref: 00DBABA5
                            • gdi_DeleteObject.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DBAC39
                            • gdi_DeleteDC.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DBAC48
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: gdi_$Create$BitmapCompatibleDeleteObject$RectSelect
                            • String ID:
                            • API String ID: 412453062-0
                            • Opcode ID: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
                            • Instruction ID: c90b079c33707dd763dc0692d66964d0ceee833f61e6f3186bd868adca8975de
                            • Opcode Fuzzy Hash: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
                            • Instruction Fuzzy Hash: 1751F8792007059FC725DF29D885E96BBE1FF1C310B09456EE98A8B762E771E841CF60
                            Function 00E0EA62 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,00000000,00000000,?,?,?,?,?,00E06939,?,?,?,?,00E06A0A,?), ref: 00E0EABD
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,?,?,?,?,00E06939,?,?,?,?,00E06A0A,?,?,00000000), ref: 00E0EAE7
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,00000000,?,?,?,00E06939,?,?,?,?,00E06A0A,?,?,00000000), ref: 00E0EB14
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,?,?,?,?,00E06939,?,?,?,?,00E06A0A,?,?,00000000), ref: 00E0EB37
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WLOG_FILEAPPENDER_OUTPUT_FILE_NAME$WLOG_FILEAPPENDER_OUTPUT_FILE_PATH
                            • API String ID: 1431749950-2760771567
                            • Opcode ID: 34e5cf2b2eb3326e4e532ca61229d8fd752eb597d78f35217c6fe90dd113de02
                            • Instruction ID: 32d4d82e9f790c0c36b72e9d12b3b729901f91e3c7a74a9442c04416497dba1d
                            • Opcode Fuzzy Hash: 34e5cf2b2eb3326e4e532ca61229d8fd752eb597d78f35217c6fe90dd113de02
                            • Instruction Fuzzy Hash: D331F672A00A167FD7205BA5988AD6EBBA8FF403683101839F801B33C0DB719C458AE0
                            Function 007F8EE0 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(01031278,Function_00068C90,007F8EC0,00000000), ref: 007F8F0A
                            • GetLastError.KERNEL32 ref: 007F8F38
                            • TlsGetValue.KERNEL32 ref: 007F8F46
                            • SetLastError.KERNEL32(00000000), ref: 007F8F4F
                            • RtlAcquireSRWLockExclusive.NTDLL(01031284), ref: 007F8F61
                            • RtlReleaseSRWLockExclusive.NTDLL(01031284), ref: 007F8F73
                            • TlsSetValue.KERNEL32(00000000,?,?,00000000,007DB080), ref: 007F8FB5
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
                            • String ID:
                            • API String ID: 389898287-0
                            • Opcode ID: f35cc0ae6dc468d8fd4f0e32af62e9c47f7205c2344147407debda508d571a68
                            • Instruction ID: af4d09445272c5149079d8793c56c92d5a226aa05e3ada8173a60dffc47b102d
                            • Opcode Fuzzy Hash: f35cc0ae6dc468d8fd4f0e32af62e9c47f7205c2344147407debda508d571a68
                            • Instruction Fuzzy Hash: F921C5B1600208AFD7509FB5EC49B7E3BA9BB49701F000026FD05E6390DB759919CBA2
                            Function 00E0F61C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(00000002,00000002,00000011), ref: 00E0F673
                            • GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00E06921,?,?,?,?,00E06A0A,?,?,00000000,?,00DFE976,00000000), ref: 00E0F68A
                            • GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00E06921,?,?,?,?,00E06A0A,?,?,00000000,?,00DFE976,00000000), ref: 00E0F6AB
                            • closesocket.WS2_32(?), ref: 00E0F6E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: EnvironmentVariable$closesocketsocket
                            • String ID: 127.0.0.1:20000$WLOG_UDP_TARGET
                            • API String ID: 65193492-3368084233
                            • Opcode ID: 3c4cee289dc8e76f32d36ce9df8aa1854a66198c1105e733308cd71fe0f1a5ee
                            • Instruction ID: 2a34d0e45c505f02e77a476a7ef92d216e148a0d97ecd4e0c65b49f47b8200d4
                            • Opcode Fuzzy Hash: 3c4cee289dc8e76f32d36ce9df8aa1854a66198c1105e733308cd71fe0f1a5ee
                            • Instruction Fuzzy Hash: 9C21F972504B016FD3345F65AC1AB177BE0EF80719F20152EF582BADE1DBB2E49587A0
                            Function 00E1001B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(winsta.dll,?,00E078D9,010B7120), ref: 00E10023
                            • GetProcAddress.KERNEL32(00000000,WinStationVirtualOpen), ref: 00E1003C
                            • GetProcAddress.KERNEL32(WinStationVirtualOpenEx), ref: 00E10052
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WinStationVirtualOpen$WinStationVirtualOpenEx$winsta.dll
                            • API String ID: 2238633743-2382846951
                            • Opcode ID: 6b88bf3d4b5b7e81cb7259c2dde00af0b6c4edf06fb324f5929ef23133ffd48f
                            • Instruction ID: ef28b70e9fc5cde35dd1bc52c3fdf32da561f459ef41a8cb8abca8312c70a065
                            • Opcode Fuzzy Hash: 6b88bf3d4b5b7e81cb7259c2dde00af0b6c4edf06fb324f5929ef23133ffd48f
                            • Instruction Fuzzy Hash: BD011EB06113459FD7009FB1990EFA53BE4AB88359F0554BAE489EB263DBF580C4DF14
                            Function 00D9CB11 Relevance: 10.5, APIs: 7, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • glyph_cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D9CB1E
                            • brush_cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?), ref: 00D9CB26
                            • pointer_cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?), ref: 00D9CB2E
                            • bitmap_cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?), ref: 00D9CB36
                            • offscreen_cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?), ref: 00D9CB3E
                            • palette_cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?), ref: 00D9CB46
                            • nine_grid_cache_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?), ref: 00D9CB4E
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: bitmap_cache_freebrush_cache_freeglyph_cache_freenine_grid_cache_freeoffscreen_cache_freepalette_cache_freepointer_cache_free
                            • String ID:
                            • API String ID: 637575458-0
                            • Opcode ID: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
                            • Instruction ID: d37850bb7118e97951563b289278a2d05a2c245e6fe61531a6680fa2fe221b1e
                            • Opcode Fuzzy Hash: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
                            • Instruction Fuzzy Hash: A8E06D31011A10ABCF323F61DC03C5ABBAAFF107513015828F886214728B22AC20ABB0
                            Function 00DDDFDE Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            • gdi_CRgnToRect.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00DDE040
                            • gdi_RgnToRect.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?), ref: 00DDE04F
                            • gdi_CRgnToRect.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00DDE062
                            • gdi_RgnToRect.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?), ref: 00DDE0A3
                            • gdi_CRgnToRect.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,?,?,?), ref: 00DDE0C8
                            • gdi_RectToCRgn.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DDE147
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Rectgdi_
                            • String ID:
                            • API String ID: 2404991910-0
                            • Opcode ID: 469cb6860012e43950ac85b6b31c1b276f2a1fa2ad26881beb634cf1efaafb73
                            • Instruction ID: 82ac532ef29ebace44529ee4109722c0054c4798f49b7d86abff03eb4a7a74cc
                            • Opcode Fuzzy Hash: 469cb6860012e43950ac85b6b31c1b276f2a1fa2ad26881beb634cf1efaafb73
                            • Instruction Fuzzy Hash: 1751C2B5E01619EFCF14DFA9C9818EEBBB9FF48710B14401AE515A7350D771AA41CBA0
                            Function 00DB1D8F Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_set_uint32.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,000007C0,?), ref: 00DB1DA2
                            • freerdp_settings_set_bool.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,000007C8,00000001), ref: 00DB1DCC
                            • freerdp_settings_set_bool.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,000007C8,00000000), ref: 00DB1DE8
                            • freerdp_settings_set_bool.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,000007C9,00000000), ref: 00DB1DFC
                            • freerdp_settings_set_bool.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,000007C8,00000000), ref: 00DB1E19
                            • freerdp_settings_set_bool.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,000007C9,00000000), ref: 00DB1E2D
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_settings_set_bool$freerdp_settings_set_uint32
                            • String ID:
                            • API String ID: 4272850885-0
                            • Opcode ID: fad6795779e0600882673a89c48fb156f3d83e8e8ab2019e83a44d2ff3258703
                            • Instruction ID: e052566677020a61edd9331f1bbe8d02c1d7dbe2743c1ab7591699e553f6bb15
                            • Opcode Fuzzy Hash: fad6795779e0600882673a89c48fb156f3d83e8e8ab2019e83a44d2ff3258703
                            • Instruction Fuzzy Hash: 3E11C86AF85202F5FE6110655CA3FFB139C8F61B54F980425FE0AE51C1E995EA0084B6
                            Function 00DD8AF6 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_image_copy.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,?,08008000,00000000,00000000,00000000,?,00000001,?,?), ref: 00DD8C2B
                            Strings
                            • freerdp_image_copy_from_icon_data, xrefs: 00DD8DBA
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00DD8DBF
                            • 1bpp and 4bpp icons are not supported, xrefs: 00DD8DB5
                            • com.freerdp.color, xrefs: 00DD8D98
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_image_copy
                            • String ID: 1bpp and 4bpp icons are not supported$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$com.freerdp.color$freerdp_image_copy_from_icon_data
                            • API String ID: 1523062921-332027372
                            • Opcode ID: 4f07c300ff068ff7755469e8b9dd4f006274509c0692e1405dc199bdeebd94a0
                            • Instruction ID: 307efc370804042446f697f3c5d7d3943831dbbaaaa4afd654cc4b0de9e6c72b
                            • Opcode Fuzzy Hash: 4f07c300ff068ff7755469e8b9dd4f006274509c0692e1405dc199bdeebd94a0
                            • Instruction Fuzzy Hash: 2451B5B2A0021DAEDF259F25CC41AFA77B9EB54300F0881AAF915A62C1D7719E81DF74
                            Function 00DF8423 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID:
                            • String ID: kbd-lang-list$kbd-list$monitor-list
                            • API String ID: 0-1393584692
                            • Opcode ID: 9e3dc6d823800c3b6294b6e5fd45f857cbeae7b1a1aad647392ba259697db6d5
                            • Instruction ID: 53f4024aa060fe13976823c78f48616cf880d6899bda2b72b5d526ac7d91c0c6
                            • Opcode Fuzzy Hash: 9e3dc6d823800c3b6294b6e5fd45f857cbeae7b1a1aad647392ba259697db6d5
                            • Instruction Fuzzy Hash: 3B31C732E0121DAACB20DB68DD46DDAB7E8EB04751F0545A5FE08E31D2DA70DA44AAE1
                            Function 00DC9962 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON
                            Download Yara Rule
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c, xrefs: 00DC9AFA
                            • interleaved_compress, xrefs: 00DC9AF5
                            • interleaved_compress: width (%u) or height (%u) is greater than 64, xrefs: 00DC9AF0
                            • com.freerdp.codec, xrefs: 00DC9AD0
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID:
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c$com.freerdp.codec$interleaved_compress$interleaved_compress: width (%u) or height (%u) is greater than 64
                            • API String ID: 0-4054760794
                            • Opcode ID: 50fd7e96157634b74ebe40d81ef02529f45ba464b295dff6b105378c327bc0fe
                            • Instruction ID: c4d2591576e818b0d67891e845fedbadf495ad15037636ca0a3fa04f5ae1fde1
                            • Opcode Fuzzy Hash: 50fd7e96157634b74ebe40d81ef02529f45ba464b295dff6b105378c327bc0fe
                            • Instruction Fuzzy Hash: EB21F27230020ABBEF255E56DC8AFEB7B59EB00750F08411DF904970A0E672EC50DB71
                            Function 00DFE492 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03CC8
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextW
                            • API String ID: 689400697-743139187
                            • Opcode ID: 785df52cfc7cd6eec4fc588064dbafc6182aed6f50fd422a44983c707f940d3d
                            • Instruction ID: 7d36800df3c05358ea9e72348ddb2c4aac514a60aa2843b6816670efb665cc9f
                            • Opcode Fuzzy Hash: 785df52cfc7cd6eec4fc588064dbafc6182aed6f50fd422a44983c707f940d3d
                            • Instruction Fuzzy Hash: 0821C672280204BBDF225E65EC02EEB3F6DEB94B55F044155FF00B50E1D662DA60E771
                            Function 00DFE489 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03DA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextA
                            • API String ID: 689400697-1744466472
                            • Opcode ID: abef78815e0f20c67dd390d4b7fbc849a4065edd50e78c003621482003607b49
                            • Instruction ID: 8f940c99f6b6b684b3d1328f2722adbea4ff7f14784ed137d33dff90c238283e
                            • Opcode Fuzzy Hash: abef78815e0f20c67dd390d4b7fbc849a4065edd50e78c003621482003607b49
                            • Instruction Fuzzy Hash: CB21A132240309BBDF221EA6EC02EAB3F6DEB95B51F004155FF04750E1D662CA61AB70
                            Function 00DFE413 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03227
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcquireCredentialsHandleW: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleW
                            • API String ID: 689400697-2657764935
                            • Opcode ID: 3eb997f24f72333c70f076e5984f5ca18bea18d8a35e47253eaa0b5716afe08f
                            • Instruction ID: 173827018df4559dcdaef29f48671df2a795842ace217b4382328f3db930e477
                            • Opcode Fuzzy Hash: 3eb997f24f72333c70f076e5984f5ca18bea18d8a35e47253eaa0b5716afe08f
                            • Instruction Fuzzy Hash: 5A11B776244304BBDB225E62EC07EA73BADEB94B15F004055FF04750E1D562CA6097B1
                            Function 00DFE40A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E032F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcquireCredentialsHandleA: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleA
                            • API String ID: 689400697-1172745827
                            • Opcode ID: 9a6a09ff23a9d76748e1fe5ca2953b76d7c19c3dea515be5120c9b00a13f7005
                            • Instruction ID: 69f1188e31257c5cba8534d640ee658d7d736f87fbdad1bdff1fb258cfe074b5
                            • Opcode Fuzzy Hash: 9a6a09ff23a9d76748e1fe5ca2953b76d7c19c3dea515be5120c9b00a13f7005
                            • Instruction Fuzzy Hash: 2111E732244304BBDB222E62AC47EAB3F6DEB85B20F004055FF10750E1DA66CA60A7B0
                            Function 00DFE401 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E0384E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: AcceptSecurityContext: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcceptSecurityContext
                            • API String ID: 689400697-2008077614
                            • Opcode ID: 721d38bb76339ea58da7893951fe04bc8565899b770038497f23a10f30832a36
                            • Instruction ID: 4cd46c0856a9c420ece3e1f1ee94f8de92a1b51a8ec2d517fabbfd1d1be101fc
                            • Opcode Fuzzy Hash: 721d38bb76339ea58da7893951fe04bc8565899b770038497f23a10f30832a36
                            • Instruction Fuzzy Hash: B011DA76240308BBDF265E66AC07EA73F6DEB84B51F004055FF00750E1D666CA61D771
                            Function 00DFE4FE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E04544
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$VerifySignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_VerifySignature
                            • API String ID: 689400697-1495805676
                            • Opcode ID: 788b6e8829d9483b934885d33dc0578010206675a62603c38f35035888a4f3c2
                            • Instruction ID: 1854f6f0c11e22153e2f82ff8692c7bf5bbc62cd04a4c41288bc63cff5151376
                            • Opcode Fuzzy Hash: 788b6e8829d9483b934885d33dc0578010206675a62603c38f35035888a4f3c2
                            • Instruction Fuzzy Hash: BB11E7F6384304BBDB216A66AD47FA73FA8DB81B51F004065FF00B61D1D9A2CE5097B5
                            Function 00DFE4F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E040BB
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesW
                            • API String ID: 689400697-247170817
                            • Opcode ID: 398d249cd69bf1bd998121c62fa7bdd2c98571b69894721aae70bbbe593d3559
                            • Instruction ID: 02ad2101e534df98371a69a63abd31425e1f91e971ae3a0db1e4d7293bca8d49
                            • Opcode Fuzzy Hash: 398d249cd69bf1bd998121c62fa7bdd2c98571b69894721aae70bbbe593d3559
                            • Instruction Fuzzy Hash: D7112BB63803057BDA216A62ED43F673B6CD7D1B12F004055FF00B60D2D9A6C9A09771
                            Function 00DFE4EC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E0417E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesA
                            • API String ID: 689400697-1164902870
                            • Opcode ID: fdc7db505d5f01b502ca50533082607e13dbcaa30e819bc86a230968a577bc8a
                            • Instruction ID: 89df9ea8932650c3d82e91edcd432b72e7ccb9035283a99a6bf7fc8510f5db55
                            • Opcode Fuzzy Hash: fdc7db505d5f01b502ca50533082607e13dbcaa30e819bc86a230968a577bc8a
                            • Instruction Fuzzy Hash: 97112BB53843057BD6216A62BD03F673F6CD7D0B51F004055FF00B51E1E992CA9097B1
                            Function 00DFE49B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E04481
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$MakeSignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_MakeSignature
                            • API String ID: 689400697-3834539683
                            • Opcode ID: b20dfd83d92de4ed8971d1895b1680752925e32be867fbf18e4e4da000a432e4
                            • Instruction ID: 8c1b39b6715d39c451f5528e43b34d1e1d7ca3481b827965d5f4b31cf24a29b8
                            • Opcode Fuzzy Hash: b20dfd83d92de4ed8971d1895b1680752925e32be867fbf18e4e4da000a432e4
                            • Instruction Fuzzy Hash: 6E11E7F5380304BBDA212A56AD43FA73B68DBC1B61F044055FF00B61D1E992CE90E7B1
                            Function 00DFE452 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E033CB
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ExportSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ExportSecurityContext
                            • API String ID: 689400697-3640258815
                            • Opcode ID: 7915c698f91c40f0bece1cb9b4d2b00c4969b57e8ba1a9641249edbfd8e7af8b
                            • Instruction ID: c97eb1005b35ab0bf0727450e2b48a0376ae8b787e76583b4612412509c86b63
                            • Opcode Fuzzy Hash: 7915c698f91c40f0bece1cb9b4d2b00c4969b57e8ba1a9641249edbfd8e7af8b
                            • Instruction Fuzzy Hash: 83110A753843047BDA221A66AC47FA73B6CEBC1B51F004055FF10BA0E1D9A2CA549771
                            Function 00DFE476 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03548
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextW
                            • API String ID: 689400697-3257054040
                            • Opcode ID: 8a47d3a8bc2d7ec2bfb180b0b7265ca1aa23011132c5c2cb8bbd081baedf3872
                            • Instruction ID: b75c77ac3897523015c6dc4921e4c3962b6c5f93ca3a86402d16afca149959b4
                            • Opcode Fuzzy Hash: 8a47d3a8bc2d7ec2bfb180b0b7265ca1aa23011132c5c2cb8bbd081baedf3872
                            • Instruction Fuzzy Hash: 4211E7753843047BDA311A66EC47FA73B6CEB81B51F004055FF00B60E1ED92CA549771
                            Function 00DFE46D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E0360B
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextA
                            • API String ID: 689400697-848437295
                            • Opcode ID: 95c1b5ee101259a7c6217a81149672afdf5776c521f2c3102e14e59083bcfe84
                            • Instruction ID: 17213b2a3d8daf8aee90f35ed11633aca5ba80ee569daaf3f5d39eafc6d67a91
                            • Opcode Fuzzy Hash: 95c1b5ee101259a7c6217a81149672afdf5776c521f2c3102e14e59083bcfe84
                            • Instruction Fuzzy Hash: E911C475380304BBDA215A66BC47FAB3B6CDB81B61F000155FF00B61E1DA92CA91A7B5
                            Function 00DD1A7D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • ncrush_context_reset.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00000000), ref: 00DD1B36
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c, xrefs: 00DD1B19
                            • ncrush_context_new: failed to initialize tables, xrefs: 00DD1B0F
                            • com.freerdp.codec, xrefs: 00DD1AF1
                            • ncrush_context_new, xrefs: 00DD1B14
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ncrush_context_reset
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c$com.freerdp.codec$ncrush_context_new$ncrush_context_new: failed to initialize tables
                            • API String ID: 2838332675-904927664
                            • Opcode ID: dd4c0d16fe61395582271169b9e8eb7598a63a02f19028b996fec103fdbe90c0
                            • Instruction ID: beba3b4fc3eba48f46abf42c506ab04094fdb73d9c6e0d36d0106e34c6276f4c
                            • Opcode Fuzzy Hash: dd4c0d16fe61395582271169b9e8eb7598a63a02f19028b996fec103fdbe90c0
                            • Instruction Fuzzy Hash: A5110B722407063AE714AB159C82FA6779CEB51754F10411EF604A6781EBB6E9508BF1
                            Function 00DFE4BF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E036CE
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesW
                            • API String ID: 689400697-3413647607
                            • Opcode ID: ac147f90a03cd7c5ecb50d373f97d2284cf75a84b6259cb36074d330fbb44d3d
                            • Instruction ID: 1f93c1e62aca8b5aa1fab2c5e92a257cd6e8f185edc6c2dd37d45793c667092e
                            • Opcode Fuzzy Hash: ac147f90a03cd7c5ecb50d373f97d2284cf75a84b6259cb36074d330fbb44d3d
                            • Instruction Fuzzy Hash: 8B110AB53803047BD6211666EC47F673BACDBD1B51F04405AFF00BA0E1E9A2CA519771
                            Function 00DFE4B6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E0378E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesA
                            • API String ID: 689400697-3754301720
                            • Opcode ID: f2d8d9d397df3ecaa2fa56205f0c0f526ae4ad2ea36a5c1a913f65931ec80cd7
                            • Instruction ID: d8451882a8727ccb35f225b6fb8f077afb1de6fba4b1866b77e943b20680e781
                            • Opcode Fuzzy Hash: f2d8d9d397df3ecaa2fa56205f0c0f526ae4ad2ea36a5c1a913f65931ec80cd7
                            • Instruction Fuzzy Hash: 80110AB53803047BE6211666EC47FA73BACE7D1B55F044056FF00B51D1D9A2CA519771
                            Function 00DFE4AD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03E7E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesW
                            • API String ID: 689400697-2578917824
                            • Opcode ID: 7c29ffc9d3cddbad3df294ef495125a3233d290cac61f34d990654ec7ca25c1f
                            • Instruction ID: b89ae09209c657fc03ae238c0d15c778f85775dc7531ae558fb41858f6cd34d6
                            • Opcode Fuzzy Hash: 7c29ffc9d3cddbad3df294ef495125a3233d290cac61f34d990654ec7ca25c1f
                            • Instruction Fuzzy Hash: AB112776384304BBDA315636EC43FA73B6CE7D0F61F004156FA00BA0D1D992CA519771
                            Function 00DFE4A4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03F3E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesA
                            • API String ID: 689400697-3211427146
                            • Opcode ID: f9aecb23def338c81b86c51d61c5334665e79e8f670f160e252b10d1f503a53c
                            • Instruction ID: 82ce4aa88d5a18f403c1288813402bf7dcef4421a3992b6231e1c0627ad71ed8
                            • Opcode Fuzzy Hash: f9aecb23def338c81b86c51d61c5334665e79e8f670f160e252b10d1f503a53c
                            • Instruction Fuzzy Hash: 8D11E775384305BBD6216676AC03FAB3F6DDBC1B51F044156FF00B61D1D9A2CA509771
                            Function 00DFE4DA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E030AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoW
                            • API String ID: 689400697-2261828479
                            • Opcode ID: 40f86a71e5edc2d9ae1707d2d49f1982ac5847dbb323b959089612198fa72371
                            • Instruction ID: f949225d7c5fd26464ff2888f51fe9747ab48896737d1a51cf2cdbf30f1b1360
                            • Opcode Fuzzy Hash: 40f86a71e5edc2d9ae1707d2d49f1982ac5847dbb323b959089612198fa72371
                            • Instruction Fuzzy Hash: D511E3753843047AE6216666BC07FA73BACD785B25F004095BB00BA0D1E992CA9096B1
                            Function 00DFE4D1 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E0316A
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoA
                            • API String ID: 689400697-3351603741
                            • Opcode ID: eb86fb552f74086d355d4f6ee98bef7853de99a51c3fc32d4b10db63e4c69064
                            • Instruction ID: e3be154f4ee910019155492a4d8eea4949b5e11ccf40fc7865ac3bc2576d5623
                            • Opcode Fuzzy Hash: eb86fb552f74086d355d4f6ee98bef7853de99a51c3fc32d4b10db63e4c69064
                            • Instruction Fuzzy Hash: ED1106753843047AD6212666BC47FA73FACD7D1B11F004065FF00BA1D2DA92CA5097B1
                            Function 00DFE4C8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03FFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityContextToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityContextToken
                            • API String ID: 689400697-2156878011
                            • Opcode ID: 627b41e8174c6f97d1f0acd8c4013dcba8c85a384b5e71c4b6515a4ad980bb89
                            • Instruction ID: 35a885abbb922d20903123f96a9fb6b5854e5cd3f1aa65dfc43777ccaa97b9d0
                            • Opcode Fuzzy Hash: 627b41e8174c6f97d1f0acd8c4013dcba8c85a384b5e71c4b6515a4ad980bb89
                            • Instruction Fuzzy Hash: 9A1106B5384305BBD6316626AC07FA73B6CDBC1B51F004066FF00FA0D1D992CA5096B1
                            Function 00DFE449 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E02F33
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesW
                            • API String ID: 689400697-255015424
                            • Opcode ID: c09ccdf330ea6b879c90ef1e1f42297d3c2f00d1e012119188ba4d8e8ea7dc49
                            • Instruction ID: 7e09c7ef2aea252e62eaeb03ad5dbd7cb47b78a3f2ab02eb10dc1169e0ccc792
                            • Opcode Fuzzy Hash: c09ccdf330ea6b879c90ef1e1f42297d3c2f00d1e012119188ba4d8e8ea7dc49
                            • Instruction Fuzzy Hash: 0111C6753883057BD6212666AC4BFA73BADDBD1B61F00405AFF04BA0E1D992C99097B1
                            Function 00DFE440 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E02FF0
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesA
                            • API String ID: 689400697-1149382491
                            • Opcode ID: 79b4b4a6dbba7fa1c3f7018f5ea45042e0ef402e26aa1ae6022a8ea6ef0435db
                            • Instruction ID: f03dc6f52b89a4a2587520f9615acd79b9aed2cbf1ef03ff8b2144c6cea9d4bc
                            • Opcode Fuzzy Hash: 79b4b4a6dbba7fa1c3f7018f5ea45042e0ef402e26aa1ae6022a8ea6ef0435db
                            • Instruction Fuzzy Hash: B711A7753843047BD6312666AC47EA73B6DDB81B55F004195FF04B90D1D592CE509671
                            Function 00DFE41C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03920
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: ApplyControlToken: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_ApplyControlToken
                            • API String ID: 689400697-2845897268
                            • Opcode ID: 0a5b5be24c0c80e3b1cb04046a28c7dd84e954767d32631e6649245c697c9df9
                            • Instruction ID: c9a262f21bc0ee85ef2ef1a1bc29f67144f0bf9d590c7ae60ec5f8eda7167965
                            • Opcode Fuzzy Hash: 0a5b5be24c0c80e3b1cb04046a28c7dd84e954767d32631e6649245c697c9df9
                            • Instruction Fuzzy Hash: F611C675384304BBEA212666AC47FA73FACD7D1B61F004169FA00BA4D1D9D2CA5096B1
                            Function 00DFE425 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E039DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$CompleteAuthToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_CompleteAuthToken
                            • API String ID: 689400697-1972714555
                            • Opcode ID: a936c5bb09e438b8043da600c46f84eb1c84d9bd623f4ee43fd16030dee1b19d
                            • Instruction ID: 974e13861795aee0ceaa6ecd6eb29493c80680e9f36af351abfd43a3b65f6cef
                            • Opcode Fuzzy Hash: a936c5bb09e438b8043da600c46f84eb1c84d9bd623f4ee43fd16030dee1b19d
                            • Instruction Fuzzy Hash: 9A11C2753843047BEA216667AC47FA73F6CDBC1F61F004169FB44BA0D1E992CB5096B1
                            Function 00DD954D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_image_copy.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00DD95B5
                            Strings
                            • SmartScaling requested but compiled without libcairo support!, xrefs: 00DD95E6
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00DD95F0
                            • freerdp_image_scale, xrefs: 00DD95EB
                            • com.freerdp.color, xrefs: 00DD95C8
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_image_copy
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$SmartScaling requested but compiled without libcairo support!$com.freerdp.color$freerdp_image_scale
                            • API String ID: 1523062921-212429655
                            • Opcode ID: 6bacb9b6c69f2dc0acbf9d6f6d182a5388dfd8ffedbaa361a2a0b849ae98e456
                            • Instruction ID: da262c508d44f879c1ce855f4935c9c150801359068e75d88048c5ba9ba8c3af
                            • Opcode Fuzzy Hash: 6bacb9b6c69f2dc0acbf9d6f6d182a5388dfd8ffedbaa361a2a0b849ae98e456
                            • Instruction Fuzzy Hash: DA21D67234020DBBDF1A9F14DC52FEE3BA9EB54700F088119FD049A290E276E950DF60
                            Function 00DFE4E3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E04241
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$RevertSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_RevertSecurityContext
                            • API String ID: 689400697-954186549
                            • Opcode ID: b83cb336a58a3dc7b0adf39ba78c3e66cd3ae5c8ac41c5088508aa7f211bcc26
                            • Instruction ID: 391190263da31bf30fbd5fa2ee12827cf47567c8c28aaee18c7e6c09ff4292f1
                            • Opcode Fuzzy Hash: b83cb336a58a3dc7b0adf39ba78c3e66cd3ae5c8ac41c5088508aa7f211bcc26
                            • Instruction Fuzzy Hash: 7F11C2F53843047BE6212666BD47FA73BACD7D1B61F040066BF00BA0E1E992CA9096B5
                            Function 00DFE45B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03B54
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeContextBuffer: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeContextBuffer
                            • API String ID: 689400697-1791514552
                            • Opcode ID: beb725c28e5f1f5bccf68e1ec0a1d72cce173395264323e014b30137ef4ec629
                            • Instruction ID: 4627cf721af79c85df829a560f0b105dcb3c801e4c8e62544174e04bdf3ab03d
                            • Opcode Fuzzy Hash: beb725c28e5f1f5bccf68e1ec0a1d72cce173395264323e014b30137ef4ec629
                            • Instruction Fuzzy Hash: 881102753843047BE6212666AC43FA73EACD7C1B55F0040A9FB00BA0D1ED92CE409AB1
                            Function 00DFE464 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03C0E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImpersonateSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImpersonateSecurityContext
                            • API String ID: 689400697-4242683877
                            • Opcode ID: 9f8b91eafb333a873a49667ff9389e738cd5d3c49e376275544f1f23128e48d9
                            • Instruction ID: 24646cc1b506cd03bd941ebfae608c7a7b423a3c8d818c4dde75a27216a1cc09
                            • Opcode Fuzzy Hash: 9f8b91eafb333a873a49667ff9389e738cd5d3c49e376275544f1f23128e48d9
                            • Instruction Fuzzy Hash: 2711C275384304BBE6212636AD87FA73FACDBD1F51F005066BE00FA0E1D992CB9196B1
                            Function 00DFE510 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E0348E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeCredentialsHandle: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeCredentialsHandle
                            • API String ID: 689400697-3116451197
                            • Opcode ID: af9c714e6d2f2f6b1b88a0cd67a1c854eae1ff9b5543e05f400cf4030aee1bd6
                            • Instruction ID: 11a5d1cf7f04a515c32108f7bb45663780682569bb61f9c60903aac126ef116e
                            • Opcode Fuzzy Hash: af9c714e6d2f2f6b1b88a0cd67a1c854eae1ff9b5543e05f400cf4030aee1bd6
                            • Instruction Fuzzy Hash: B2112575384304BBE6322636BC47F673B6CD7C1B51F008066FB00BA0D1D992CA8096B1
                            Function 00DFE507 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(010B70C8,00E04AA1,00000000,00000000), ref: 00E03A9A
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Once$ExecuteInit
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DeleteSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DeleteSecurityContext
                            • API String ID: 689400697-4185332897
                            • Opcode ID: 318fe17660f4d0f9ce62cfc08f44648c6f9dc117876b017969b535a265bdc97b
                            • Instruction ID: 1c6e94b35f6e66cfc76016706c348a4500bf53cf04bb6363b500da283f8abf69
                            • Opcode Fuzzy Hash: 318fe17660f4d0f9ce62cfc08f44648c6f9dc117876b017969b535a265bdc97b
                            • Instruction Fuzzy Hash: 4B1125753803047BE6321666AC43FA73BACD7D1B55F000169FB00BA0E1E992CA8096B1
                            Function 00E865C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • primitives_get.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE ref: 00E865CB
                            Strings
                            • error when decoding lines, xrefs: 00E86629
                            • com.freerdp.codec, xrefs: 00E8660B
                            • yuv_process_work_callback, xrefs: 00E8662E
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c, xrefs: 00E86633
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: primitives_get
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c$com.freerdp.codec$error when decoding lines$yuv_process_work_callback
                            • API String ID: 2017034601-2620645302
                            • Opcode ID: be206209256d5c2a1d83997dc8ade0252070c8f3819e835ec4385b9f70e9bbca
                            • Instruction ID: 07b03ba42d6ef33b4b7ea5f523df993750703fe4e8f11b864222e6087280b314
                            • Opcode Fuzzy Hash: be206209256d5c2a1d83997dc8ade0252070c8f3819e835ec4385b9f70e9bbca
                            • Instruction Fuzzy Hash: 480188B1600209BFDB14EF54DC02F59B7A8FF04718F044159F908DA281EA75E9409FA4
                            Function 00DD9EF7 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                            Download Yara Rule
                            APIs
                            • region16_extents.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DD9F06
                            • region16_extents.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?), ref: 00DD9F12
                            • region16_n_rects.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?), ref: 00DD9F1D
                            • region16_n_rects.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DD9F7D
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: region16_extentsregion16_n_rects
                            • String ID:
                            • API String ID: 2062899502-0
                            • Opcode ID: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
                            • Instruction ID: ff3251cd3845f18dcedadbee102a93d9f5365af45d90bc9952ee1b356d2a54f1
                            • Opcode Fuzzy Hash: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
                            • Instruction Fuzzy Hash: DC512A75A00229ABCB14DF99C8408AEF7F5FF18710B55816AE859E7350E335EE40CBB0
                            Function 007F8E40 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                            Download Yara Rule
                            APIs
                            • InitOnceExecuteOnce.KERNELBASE(01031278,007F8C90,007F8EC0,00000000), ref: 007F8E6A
                            • GetLastError.KERNEL32 ref: 007F8E7F
                            • TlsGetValue.KERNEL32 ref: 007F8E8D
                            • SetLastError.KERNEL32(00000000), ref: 007F8E96
                            • TlsAlloc.KERNEL32 ref: 007F8EC3
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ErrorLastOnce$AllocExecuteInitValue
                            • String ID:
                            • API String ID: 2822033501-0
                            • Opcode ID: 218737cbd98c92ea9ac25f7389441bf482b784913dfd8dc2d9e5e48b3e742bd8
                            • Instruction ID: aa21d26674f977902d8678e0c2b128f016c72a3e90c229c33f885b4d29b81cf4
                            • Opcode Fuzzy Hash: 218737cbd98c92ea9ac25f7389441bf482b784913dfd8dc2d9e5e48b3e742bd8
                            • Instruction Fuzzy Hash: E001C4B560020C9FCB109FBAEC49A7A77BCFB48B11B400126F915E7390EB3599148B61
                            Function 00E849E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_print.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?), ref: 00E84A72
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: audio_format_print
                            • String ID: AUDIO_FORMATS (%hu) ={$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_formats_print
                            • API String ID: 2744001552-3527835062
                            • Opcode ID: 469cdea7ea94f545fa889bebaced8301b8506f0abd8f0b7f64337f96432234d7
                            • Instruction ID: 85ca4e98aa9667cbc41438f6ec066f143b2cc9c6814acea986d5db735117f37a
                            • Opcode Fuzzy Hash: 469cdea7ea94f545fa889bebaced8301b8506f0abd8f0b7f64337f96432234d7
                            • Instruction Fuzzy Hash: A711A57228031636EA15AE155C42FBB275CDF65B64F054055F91CB51C1F6A1D60093B6
                            Function 00D811D7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • getChannelError.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D81248
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ChannelError
                            • String ID: ($ChannelDetached$freerdp
                            • API String ID: 1163697128-436519898
                            • Opcode ID: a006e5e7a51db26b93f7661fcccfff10dda9af0a014f0123755cedd56f395108
                            • Instruction ID: c3931973b23fcbaa03208bddbd36b11154284898f8180c5aa55eb4a9faa787c9
                            • Opcode Fuzzy Hash: a006e5e7a51db26b93f7661fcccfff10dda9af0a014f0123755cedd56f395108
                            • Instruction Fuzzy Hash: 28213D75A00209AFDB14DF98C885FAEBBF9FF08344F104469E944EB251D770AA559FA0
                            Function 00D80B41 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • getChannelError.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D80BB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ChannelError
                            • String ID: ($ChannelAttached$freerdp
                            • API String ID: 1163697128-2646891115
                            • Opcode ID: 23f8440526368138a212b801aa2f18db117d3513822fd8d38211a1bf625ea9a6
                            • Instruction ID: 03e41d898db8630cf79cc1408b935dbfc0a25378c0ea30e0e3489fe5375abc75
                            • Opcode Fuzzy Hash: 23f8440526368138a212b801aa2f18db117d3513822fd8d38211a1bf625ea9a6
                            • Instruction Fuzzy Hash: D2212C71A00209EFDB04DF98C885FAEBBF4FF08354F144569E948A7252E770AA549BA0
                            Function 00DF783A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID:
                            • String ID: audin$rdpsnd
                            • API String ID: 0-930729200
                            • Opcode ID: 7c0475cd44f4378e9d802355989a63adfe1fc79135141be04c7e1e40ca039450
                            • Instruction ID: 746a1651418015a59008aa02da6c3b5b8b488c6eb49de794faa7684a37f93d01
                            • Opcode Fuzzy Hash: 7c0475cd44f4378e9d802355989a63adfe1fc79135141be04c7e1e40ca039450
                            • Instruction Fuzzy Hash: 3F113331A09A1AEBD725CF24C8806FAF3B4FB05B51F1A822AE55957140D771A990CBE1
                            Function 00E84701 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • audio_format_get_tag_string.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,?,?,?,?), ref: 00E84737
                            Strings
                            • %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu, xrefs: 00E8473E
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c, xrefs: 00E84748
                            • audio_format_print, xrefs: 00E84743
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: audio_format_get_tag_string
                            • String ID: %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_format_print
                            • API String ID: 2866491501-3564663344
                            • Opcode ID: 2475ba101f63905f6d37d95513fe2099d7c62e20fb913483872a2c8de66ab3fb
                            • Instruction ID: 88fea08070abfbc029ec749b4ec6d41bcb74a77b41745714fe7b44c9deb5004d
                            • Opcode Fuzzy Hash: 2475ba101f63905f6d37d95513fe2099d7c62e20fb913483872a2c8de66ab3fb
                            • Instruction Fuzzy Hash: 5DF030B6140208BAEB411F91CC02E76376DEB48B14B25C049FD5C9C1E1E677D9A2E774
                            Function 00D72713 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_get_last_error.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00D72725
                            • freerdp_set_last_error_ex.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,0002000B,freerdp_abort_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,0000013A), ref: 00D72745
                            Strings
                            • C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00D72734
                            • freerdp_abort_connect, xrefs: 00D72739
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_get_last_errorfreerdp_set_last_error_ex
                            • String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$freerdp_abort_connect
                            • API String ID: 3690923134-629580617
                            • Opcode ID: c89517776bdef020685ac3a0d5a535b7997bf2836c2efd4f17917781079dce91
                            • Instruction ID: 3e483461d959f097493b4fb8f786710372bb84b75f3234a5c8604d94ffbb4019
                            • Opcode Fuzzy Hash: c89517776bdef020685ac3a0d5a535b7997bf2836c2efd4f17917781079dce91
                            • Instruction Fuzzy Hash: 22E0D831240250EBDB252D11ED43B65F794DF00B90F188425B5CC75091FB619E41A6B1
                            Function 00E8632D Relevance: 6.2, APIs: 4, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            • primitives_get.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE ref: 00E8633F
                            • primitives_flags.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000), ref: 00E86353
                            • TpWaitForWork.NTDLL(00000000,00000000), ref: 00E864A9
                            • TpReleaseWork.NTDLL(00000000), ref: 00E864B2
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: Work$ReleaseWaitprimitives_flagsprimitives_get
                            • String ID:
                            • API String ID: 704174238-0
                            • Opcode ID: 669a40efe36c93a0e64fbc65839f32cd71568a1e7ebdd754390572d5576e0212
                            • Instruction ID: b14d2b615812f11ab264950629c94043957f40ac8d9c3d494ab69b6eac0631f6
                            • Opcode Fuzzy Hash: 669a40efe36c93a0e64fbc65839f32cd71568a1e7ebdd754390572d5576e0212
                            • Instruction Fuzzy Hash: C36117B5A0060ADFCB14DFA8C981AAEBBF5FF48314B14856AE819E7350D730E955CF90
                            Function 00DDC297 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            • gdi_SetRgn.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?,?,00000000,00000001,?,?), ref: 00DDC324
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: gdi_
                            • String ID:
                            • API String ID: 2273374161-0
                            • Opcode ID: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
                            • Instruction ID: 04db80fd660321166dea62bcb205c9655d5be6cf9fcd2f4ca1d7da2ccbbd93c9
                            • Opcode Fuzzy Hash: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
                            • Instruction Fuzzy Hash: 1C31B7B5910209EFCB10DF98C9859AEB7FAFF48314F14816AE915E7211D335EA45CBA0
                            Function 00E05C02 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(?), ref: 00E05C16
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00E05C34
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00E05C54
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00E05C9A
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: CriticalSection$Leave$Enter
                            • String ID:
                            • API String ID: 2978645861-0
                            • Opcode ID: 02a3e02e549c9dc230044769d37f88d02c296c7eef885652abc5c2dd2e705e06
                            • Instruction ID: fb70281915fda5b3247cb0c5cd8cb539f8114e72d05e89d92bf17b5a93e8dc2d
                            • Opcode Fuzzy Hash: 02a3e02e549c9dc230044769d37f88d02c296c7eef885652abc5c2dd2e705e06
                            • Instruction Fuzzy Hash: ED219D72200B05EFEB24CF14C984A6AB7F4FB45329F11552AE882B7290E770AD86CF50
                            Function 00DD9BBD Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • region16_rects.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000), ref: 00DD9BDC
                            • region16_extents.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DD9BEC
                            • rectangles_intersects.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,?), ref: 00DD9BF7
                              • Part of subcall function 00DD97FD: rectangles_intersection.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,?,?), ref: 00DD980C
                            • rectangles_intersects.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,?), ref: 00DD9C1A
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: rectangles_intersects$rectangles_intersectionregion16_extentsregion16_rects
                            • String ID:
                            • API String ID: 3854534691-0
                            • Opcode ID: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
                            • Instruction ID: 118643e7c735e9f7a8acb7e7ece5d0471d9de383e4810cb49a653f509adbf097
                            • Opcode Fuzzy Hash: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
                            • Instruction Fuzzy Hash: 68018033134219AAAB249B5DD8A1ABBE3DCDB40765F58411BF8589A240EB37EC81C1B4
                            Function 00DF1F3D Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE ref: 00DF1F56
                            • freerdp_context_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000,00000000,?,?), ref: 00DF1FA4
                            • freerdp_register_addin_provider.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?,00000000), ref: 00DF1FC7
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_context_newfreerdp_newfreerdp_register_addin_provider
                            • String ID:
                            • API String ID: 3731710698-0
                            • Opcode ID: c9c351afadd7d74fc9050d5e9992440d9ea0ed848e55313c5e1452aff8ffdd57
                            • Instruction ID: 4b6b1205a42ba7b2ef6fb6c882910c86c66989603521f8e5d3bae3c1b9102fba
                            • Opcode Fuzzy Hash: c9c351afadd7d74fc9050d5e9992440d9ea0ed848e55313c5e1452aff8ffdd57
                            • Instruction Fuzzy Hash: 91119136604B0A9BC725AB66D801A66B7A5FF50320F15841DF95887241EB70E850CBB0
                            Function 00E068CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,?,00E06A0A,?,?,00000000,?,00DFE976,00000000), ref: 00E0697B
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpin
                            • String ID: %s: unknown handler type %u$WLog_Appender_New
                            • API String ID: 2593887523-3466059274
                            • Opcode ID: 76426035e1a7b2cf4a28c5a607df65384fdf8ce763bdc768bf1039f052ec8d17
                            • Instruction ID: c4c5118ec095edf90d90dc98aaabbba925091d5d5c7dbdc87c5f7c5a13a0a8db
                            • Opcode Fuzzy Hash: 76426035e1a7b2cf4a28c5a607df65384fdf8ce763bdc768bf1039f052ec8d17
                            • Instruction Fuzzy Hash: 1E115C3210820266C5223A38AC46F7F67ACDBC2B347943429F405B6DD1DE30D8E16162
                            Function 00D73FD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s%s-client.%s$DeviceServiceEntry
                            • API String ID: 0-2733899524
                            • Opcode ID: 6f30c88609a6ff82e0304ba61945d56edd5f13820ba194facad77c84c68a2a66
                            • Instruction ID: ef927d9480aed30c0c9ff63fa823f77deecf408c66dd7188717b103ddf1ddc62
                            • Opcode Fuzzy Hash: 6f30c88609a6ff82e0304ba61945d56edd5f13820ba194facad77c84c68a2a66
                            • Instruction Fuzzy Hash: A3119472A00319ABEB129F99C881BAF77ACDF40750F48802AFD18D7241E770DE419BB1
                            Function 00DB4029 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00DB4060
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00DB4076
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: File$CreatePointer
                            • String ID: %s %hu %s %s %s
                            • API String ID: 2024441833-2916857029
                            • Opcode ID: 3b9a0a9b3ef9926bc8f8bdffb1d72c6c682f96800e48eab48ee8fd573580d038
                            • Instruction ID: 7edf199f1f4165f4e5574a218c4fe54d1a5c3e4a97b2aa114373515cec4936c5
                            • Opcode Fuzzy Hash: 3b9a0a9b3ef9926bc8f8bdffb1d72c6c682f96800e48eab48ee8fd573580d038
                            • Instruction Fuzzy Hash: 8501F231102110BBDB212B62EC4EEAB7F29EF45370F148115FA1C990E2D722C852D6B0
                            Function 00DFEBD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,00000000,?,00DFE987), ref: 00DFEBF6
                            • GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,?,?,00DFE987), ref: 00DFEC1A
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WLOG_FILTER
                            • API String ID: 1431749950-2006202657
                            • Opcode ID: 25a05392577c38789f63a8a4a6339ec902dc49402a3c0ebff0f0f523e71072bb
                            • Instruction ID: 329e69f283638d4181db90761311c48e3a7454dff31db1320ebdf74e608025d0
                            • Opcode Fuzzy Hash: 25a05392577c38789f63a8a4a6339ec902dc49402a3c0ebff0f0f523e71072bb
                            • Instruction Fuzzy Hash: EDF02B3331421D2F46202765BC89C7B7FEDDA95BAA351042BF509D7151EB2A4C4A87B1
                            Function 00E04BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00E04AE3), ref: 00E04BCC
                            • GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00E04AE3), ref: 00E04BEC
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: EnvironmentVariable
                            • String ID: WINPR_NATIVE_SSPI
                            • API String ID: 1431749950-1020623567
                            • Opcode ID: 0fd3dca39d086724d7f931ce89b82d32e0a6c4d76b7e63ac656f96d8396512b8
                            • Instruction ID: 7a83aecbf558675d21b0680645679a140159ee0dcc63e5b417e9d7c9227c683d
                            • Opcode Fuzzy Hash: 0fd3dca39d086724d7f931ce89b82d32e0a6c4d76b7e63ac656f96d8396512b8
                            • Instruction Fuzzy Hash: 8FF02EF729A1321AF53531657D45F7B8E64CB83F25F25111AFA01F31C1DA40888755E1
                            Function 00DCA2AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • rfx_context_new.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DCA2ED
                              • Part of subcall function 00DBE4DD: GetVersionExA.KERNEL32(?), ref: 00DBE5CD
                              • Part of subcall function 00DBE4DD: GetNativeSystemInfo.KERNEL32(?), ref: 00DBE5E7
                              • Part of subcall function 00DBE4DD: RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00DBE612
                            • progressive_context_free.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000), ref: 00DCA36D
                            Strings
                            • com.freerdp.codec.progressive, xrefs: 00DCA2CA
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: InfoNativeOpenSystemVersionprogressive_context_freerfx_context_new
                            • String ID: com.freerdp.codec.progressive
                            • API String ID: 2699998398-3622116780
                            • Opcode ID: 6db6063e9a0fd52d784cafc24265b53c4b0ae5bcf6cd697cf6c5cf64952e2798
                            • Instruction ID: f34c64d2cb7d34d69ffa796a5ecc9f381c9f6e8ff9bb91bf9d66488571f5bc88
                            • Opcode Fuzzy Hash: 6db6063e9a0fd52d784cafc24265b53c4b0ae5bcf6cd697cf6c5cf64952e2798
                            • Instruction Fuzzy Hash: FFF0E03260574715D22077F99C11F8B7BD8DF82774F18402EF505E75C1DA7094018676
                            Function 00DB1ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            • freerdp_settings_get_key_for_name.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(?), ref: 00DB1EEF
                            • freerdp_settings_get_type_for_key.NQDZLQPAYJFIOEFVLKMBVGUKRPWCNNA-ELEVATE(00000000), ref: 00DB1F51
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: freerdp_settings_get_key_for_namefreerdp_settings_get_type_for_key
                            • String ID: TRUE
                            • API String ID: 1888880752-3412697401
                            • Opcode ID: a7a297d361a7e42153811db794e32f06c61addcadfe3892acd04762f33822e4c
                            • Instruction ID: 67134fc20826d89d9cda7b612d8968f7fc784c5892cec9fb9dc307fe3bb0eb2f
                            • Opcode Fuzzy Hash: a7a297d361a7e42153811db794e32f06c61addcadfe3892acd04762f33822e4c
                            • Instruction Fuzzy Hash: 7FE0E537300328EA9A155A9EDC82DEF725CEF49FB1B450125F906A6241AB60E90085B0
                            Function 00E0717D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,00E07163), ref: 00E07190
                            • GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,?,00E07163), ref: 00E071B1
                              • Part of subcall function 00E07310: LoadLibraryA.KERNEL32(?,?,00E071C4,00000000,?,?,00E07163), ref: 00E07316
                              • Part of subcall function 00E07310: GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00E0732B
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: EnvironmentVariable$AddressLibraryLoadProc
                            • String ID: WTSAPI_LIBRARY
                            • API String ID: 3590464466-1122459656
                            • Opcode ID: 1652febe41b89f9abee41103744874d0c672af699142ec73f5e587f881d7d202
                            • Instruction ID: d90091e497f503f2524e6831be95ab05cefa381e7e6fa2f4c5b4b4c959498479
                            • Opcode Fuzzy Hash: 1652febe41b89f9abee41103744874d0c672af699142ec73f5e587f881d7d202
                            • Instruction Fuzzy Hash: 9FE02B3260F53269D1342254BC0AFAF1B95CBC2B2EF20141AF840B61C4DB54788681B2
                            Function 00E07310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?,?,00E071C4,00000000,?,?,00E07163), ref: 00E07316
                            • GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00E0732B
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: InitWtsApi
                            • API String ID: 2574300362-3428673357
                            • Opcode ID: b5c220fd0af8fc5df8c2c1ea97a87a160943378f984d010dcd5548c80963f777
                            • Instruction ID: 28083d909d133f206bf065d3dd4c40529115f1f848e6540f6e2e96d989c5eabf
                            • Opcode Fuzzy Hash: b5c220fd0af8fc5df8c2c1ea97a87a160943378f984d010dcd5548c80963f777
                            • Instruction Fuzzy Hash: AAD02B709083099FDF00EFF6AC058123FDCD7406453001833AC4CF10C0EB75E480A660
                            Function 00E6F42C Relevance: 5.2, APIs: 4, Instructions: 154COMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,00E5B650,00FB0388,0000000C), ref: 00E6F430
                            • SetLastError.KERNEL32(00000000), ref: 00E6F4D2
                            • GetLastError.KERNEL32(00000000,?,00E55FDD,00E6F0E3,?,?,00DFF77A,0000000C,?,?,?,?,00D727D2,?,?,?), ref: 00E6F581
                            • SetLastError.KERNEL32(00000000,00000006), ref: 00E6F623
                              • Part of subcall function 00E6F717: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00E6F758
                              • Part of subcall function 00E6F066: HeapFree.KERNEL32(00000000,00000000,?,00E7B935,?,00000000,?,?,00E7BBD6,?,00000007,?,?,00E7BF89,?,?), ref: 00E6F07C
                              • Part of subcall function 00E6F066: GetLastError.KERNEL32(?,?,00E7B935,?,00000000,?,?,00E7BBD6,?,00000007,?,?,00E7BF89,?,?), ref: 00E6F087
                            Memory Dump Source
                            • Source File: 00000003.00000002.18293662934.0000000000791000.00000040.00000001.01000000.00000006.sdmp, Offset: 00790000, based on PE: true
                            • Associated: 00000003.00000002.18293621387.0000000000790000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F14000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000F1C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FBB000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000000FDF000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.000000000102C000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000010C8000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.00000000012B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001CB3000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001E1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18293662934.0000000001EBD000.00000040.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000003.00000002.18296339719.0000000001EE3000.00000004.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_790000_nqdzlqpayjfioefvlkmbvgukrpwcnna-elevate.jbxd
                            Similarity
                            • API ID: ErrorLast$Heap$AllocateFree
                            • String ID:
                            • API String ID: 2037364846-0
                            • Opcode ID: c1f47b36f408e41f3bf48223ac98856e5c85ff371ca757c0e13aa61a49dc45ff
                            • Instruction ID: 06b357b6487d9390654760ffb32d5f6e105e9469f5fe9c05ed2cedfda3dae8fe
                            • Opcode Fuzzy Hash: c1f47b36f408e41f3bf48223ac98856e5c85ff371ca757c0e13aa61a49dc45ff
                            • Instruction Fuzzy Hash: B541C63668A3116ED6203B7CBD87D6B368C9F017F4B146271F635BB1E1DF108D065650